Re: /_vti_bin/_vti_aut/dvwssr.ddl

From: Michael Katz (mikeat_private)
Date: Sun Jun 16 2002 - 18:03:02 PDT

  • Next message: Josha Bronson: "Re: /_vti_bin/_vti_aut/dvwssr.ddl"

    At 6/16/2002 11:19 AM, Armish wrote:
    
    >When i was testing one my pcs about security,The program found a vuln. about
    >/_vti_bin/_vti_aut/dvwssr.ddl . What is this file?How can it become a
    >risk?How can I close this hole?(Too much questions,ha? :) ....)
    >thanks for all answers...
    
    Armish,
    
    According to rain forest puppy's advisory at 
    http://www.wiretrip.net/rfp/p/doc.asp/i2/d45.htm, "The NT 4 Option Pack 
    ships with a particular ISAPI .dll in
    /_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft 
    FrontPage extensions (the version I have is 3.0.2.1105). This particular 
    .dll allows you to read .asp (and .asa) files under the web root, providing 
    you know the 'password' (obfuscated encoding scheme) of which to ask 
    it.  And, as implied by the title, the constant key used in the encoding is 
    "Netscape engineers are weenies!"."
    
    Although there was some dispute about the encoding key, Microsoft issued 
    Security Bulletin MS00-025, which is at 
    http://www.microsoft.com/technet/security/bulletin/MS00-025.asp, which 
    states, "Dvwssr.dll is a server-side component used to support the Link 
    View feature in Visual Interdev 1.0. However, it contains an unchecked 
    buffer. If overrun with random data, it could be used to cause an affected 
    server to crash, or could allow arbitrary code to run on the server in a 
    System context."
    
    You can close the hole by deleting the file, as is recommended by 
    Microsoft.  The only functionality lost is the "ability to generate link 
    views of .asp pages using Visual Interdev 1.0."
    
    Michael Katz
    mikeat_private
    Procinct Security
    



    This archive was generated by hypermail 2b30 : Sun Jun 16 2002 - 20:17:35 PDT