-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /*******************************************************************\ * Windows NT / 9x Long File Names Vulnerable (AGAIN) * * * * OS: All Win32 w/long filename support * * Risk: high / extremely high * * Affected Products: * * Microsoft IIS 4.0 (w/o SP4/5?), Serv-U FTP Server, Xitami, * * vqServer, and many more web/ftp servers * \*******************************************************************/ - -- B A C K G R O U N D -- While testing IIS security, I was able to locate an old flaw which is still present in many server services on Win32. The problem deals with a compatibility issue with the old Win16/DOS file naming system known as the 8.3 naming system. Files using the 8.3 naming system consist of 8 characters followed by a period (.) and a 3 character extension, thus giving a name of "8.3" - -- S U M M A R Y -- Many product in use today are still affected heavily by this ancient limit. * IIS Even though IIS is "fixed" the problem has "naturally" occurred on one of my servers even after SP5 was installed. Microsoft Internet Information Server 4.0 allows privileges to be inherited from parent directories instead of requested directory if the requested directory is a long file name. EXAMPLE: C:\inetpub\wwwroot\ (directory listing enabled) C:\inetpub\wwwroot\subdirectory\ (listing _disabled_) REQUEST http://server/subdirectory/ (denied error msg) REQUEST http://server/subdir~1/ (listing of directory) * SERV-U FTP (www.cat-soft.com / www.ftpserv-u.com) Certain commands in Serv-U are not properly validated with the access control list. Rob Beckers (rob@cat-soft.com) has been notified of the issue * VQSERVER (http://www.vqsoft.com/) Steve Shering (mailto:s.sheringat_private)has been notified in advance of this release via email. This issue is very similar to the IIS issue. * XITAMI web server - -- D E T A I L S -- IIS / PWS -- Although this is not a major security problem for most, remote systems security is compromised as scripts can be executed. File listings displayed (although security never truly existed on the "security through obscurity" model... *hint*hint* Microsoft....) * Service Pack 4/5 seems to fix this, but I have had it * occur after installing other software, so after * installing any package make sure you re-apply a service * pack. IIS Privileges are inherited from parent directories. Virtual Directories are not affected as they are VIRTUAL! Risk: extremely high How to reproduce: (do not perform this live on the Internet...) 1) mkdir C:\inetpub\wwwroot\subdirectory\ 2) mkdir C:\inetpub\wwwroot\subdirectory\subdirectory2\ 3) set "C:\inetpub\wwwroot\subdirectory\" privileges to listing 4) set "C:\inetpub\wwwroot\" privileges to no listing 5) request "http://localhost/subdir~1/" (you will see a listing for "subdirectory2") Serv-U -- Serv-U 2.5a has two known improperly checked commands. "cwd" and "site exec" both do not check the specified path against the access lists properly. Risk: high How to reproduce: 1) mkdir C:\tmphome 2) mkdir C:\tmphome\longsubdir\ 3) set permissions for "C:\tmphome\" for execute 4) set permissions for "C:\tmphome\longsubdir\" _NO_ execute 5) place an exe in "C:\tmphome\longsubdir\" 6) Login to serv-u 7) run command "site exec C:\tmphome\longsu~1\exename.exe" 8) Its running. ** Rob Beckers has told me a fix is in the works. vqServer -- This "exploit" is so similar to the IIS problem, you can go figure it out by yourself. Xitami -- (http://www.imatix.com/ -- infoat_private) Imatix has been notified via email. Tested on: Xitami v2.4d2 There are probably numerous other services from other vendors affected. This has been a long known problem on Win32. Please read: http://www.securityfocus.com/templates/advisory.html?id=179 "IIS 4.0 and PWS 4.0 maintain certain configuration information about directories and files in a database called the metabase. The metabase does not contain file permissions, but rather Web server-specific information such as requiring SSL encryption, proxy cache setting, and PICS ratings. Actual file and directory permissions are enforced by NTFS and are not affected by this problem." Now this bulletin also states "Microsoft IIS 4.0 and PWS 4.0 with the appropriate patch are not vulnerable." Anyone care to post the url for this "patch" that I haven't seen? - -- W H A T T O D O -- Administrators: You have 5 choices: 1) Run apache. A proven web server. :) 2) Wait for vendor patches 3) Dial 911 and tell them somebody is breaking into your site 4) unplug your computer and lock it in a sealed room 5) Don't run windows as long as it maintains 8.3 support Developers: Write two functions: getLongName() and getShortName() ... you figure the rest out, its not too hard. API works... - -- O T H E R N O T E S -- Apache (Win32 port) does _NOT_ appear to be affected Sambar WWW Server is not affected Netscape previously fixed this problem: (from the CERT) Enterprise Server 3.51 - not vulnerable Enterprise Server 3.0 - A patch has been created to fix the problem. FastTrack Server 2.01 - A patch has been created to fix the problem. FastTrack Server 3.01 - A patch has been created to fix the problem. - -- P E R S O N A L R A N T -- Anyone can pull numbers out of their butt, and Microsoft has done it, AGAIN! Comparing Linux to Windows NT Look at: http://www.microsoft.com/ntserver/nts/exec/compares/ntlinux.asp "680 percent better as a Web server" "623 percent better Web server price/performance" isn't Linux/Apache Free? I would like to publically ask Microsoft to remove this "report" from their site as it is very inaccurate. Microsoft, Any beta programs open that I can get on? :) - -- x-empt lvhc@urban-a.net -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com> iQA/AwUBN7XYWT0JSYszj2jyEQLmSgCfRdDc/fa4dGCdPSjiXfqXQdZ2e30AoMBb v4ycZswIIst6uqMbbjEzHNh5 =D1Ti -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:15 PDT