Full Disclosure mailing list archives
Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
From: king cope <isowarez.isowarez.isowarez () googlemail com>
Date: Tue, 17 Jul 2012 16:11:14 +0200
Hello Jan, I did some additional tests for the IIS bugs. * IIS 6.0 PHP authentication bypass is only possible on Windows Server 2003 SP1. SP2 seems unaffected So take that bug as resolved, my mistake as I didn't have a fully patched system online when testing. * For the IIS Classic ASP authentication bypass follow the following steps to reproduce it: * Install .NET Framework 4.0 * Configure the Application pools to use .NET Framework 4 * Create a folder for the current website and put an ASP file inside the folder * disabled anonymous authentication on that folder and activate one of the authentication types other than form based authentication * open the handler mappings in the current website pane, set ASP classic file type to unspecified. This is important and I had omitted it in the past advisory. It took me some time to find out that "Invoke handler only if request is mapped to" must be unchecked in the handler mappings for ASP Classic * Use Google Chrome or Mozilla Firefox for testing as a client, IE9 will somehow deny the request. * Request http://<host>/<securefolder>::$INDEX_ALLOCATION/<aspfile>.asp If you follow these configuration settings you will see the asp file being executed without supplying credentials, even on Windows Server 2008 installations. You can see this illustrated in the attachment i created. Now to the ASP .NET source code disclosure... Thanks for the workarounds using Rewrite engines. I want to mention that the lines: <add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" /> RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC] for the rewrite engine are insufficient, because other extensions can be affected too, like .cs for example. Sorry for not clarifying correctly what the setup has to be for the bugs to show up in the first place. Have a nice day, Kingcope 2012/7/17 Jan Reilink <janreilink () vevida com>:
[Hope this doesn't get double posted, removed bugtraq () securityfocus com] Hi, Op 16-7-2012 19:24, king cope schreef:Hi Lists,[...]The posting included some important bugs in the Internet Information Services, one of their flagship products: http://seclists.org/fulldisclosure/2012/Jun/189Nice find. Somehow I missed your e-mail from the 10th of June... Anyway, a proper configured IIS web server has its Request Restrictions (resourceType) set to 'File' in the PHP handler. Having this not configured, it can give you some nasty error messages ("No input file specified", if the requested file doesn't exist) If not configured, fix it with appcmd: appcmd set config /section:system.webServer/handlers "-+[name=`'PHP`',path=`'*.php`',verb=`'*`',modules=`'FastCgiModule`',scriptProcessor=`'path\to\php-cgi.exe`',resourceType=`'File`']" if you're unable to (maybe because you're a user, not an admin), you can deny certain URL sequences using IIS URL Rewrite or Helicon ISAPI_Rewrite: RewriteEngine On # DenyPHPafterASPX RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC] RewriteRule .? / [F,L] <rewrite> <rules> <rule name="DenyPHPafterASPX" stopProcessing="true"> <match url=".?" ignoreCase="false" /> <conditions logicalGrouping="MatchAll"> <add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" /> </conditions> <action type="CustomResponse" url="/" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> </rules> </rewrite> these are workarounds, not fixes. I can't reproduce authentication bypass vulnerabilities you mention. Also, there is more than one way to password protect a directory. Did you disable 'anonymous authentication' in IIS 6.0/7.5, or did you remove or deny IUSR-user NTFS permissions on the file system? Regards, Jan Reilink VEVIDA Services http://vevida.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Thor (Hammer of God) (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Message not available
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Message not available
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Thor (Hammer of God) (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Gage Bystrom (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Gage Bystrom (Jul 17)
- Message not available
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Message not available
- Message not available
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)