Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Win32 File Naming (again)

From: lvhc () URBAN-A NET (x-empt [ lvhc / lou ])
Date: Sat, 14 Aug 1999 13:58:38 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

/*******************************************************************\
* Windows NT / 9x Long File Names Vulnerable (AGAIN)                *
*                                                                   *
* OS: All Win32 w/long filename support                             *
* Risk: high / extremely high                                       *
* Affected Products:                                                *
*    Microsoft IIS 4.0 (w/o SP4/5?), Serv-U FTP Server, Xitami,     *
*    vqServer, and many more web/ftp servers                        *
\*******************************************************************/

- -- B A C K G R O U N D --

While testing IIS security, I was able to locate an old flaw which is
still present in  many server services on  Win32.  The  problem deals
with a compatibility issue with the old  Win16/DOS file naming system
known as the 8.3 naming system.

Files using the 8.3 naming system consist of 8 characters followed by
a period (.) and a 3 character extension, thus giving a name of "8.3"

- -- S U M M A R Y --

Many product in use today are still affected  heavily by this ancient
limit.

  * IIS

   Even though IIS is "fixed" the problem has "naturally" occurred on
   one of my servers even after SP5 was installed.

      Microsoft Internet Information Server 4.0 allows privileges
      to be inherited from parent directories instead of requested
      directory if the requested directory is a long file name.

      EXAMPLE:
           C:\inetpub\wwwroot\ (directory listing enabled)
           C:\inetpub\wwwroot\subdirectory\ (listing _disabled_)
           REQUEST http://server/subdirectory/
               (denied error msg)
           REQUEST http://server/subdir~1/
               (listing of directory)

 * SERV-U FTP (www.cat-soft.com / www.ftpserv-u.com)
      Certain commands in Serv-U are not properly validated with
      the access control list.
      Rob Beckers (rob () cat-soft com) has been notified of the issue

 * VQSERVER (http://www.vqsoft.com/)
      Steve Shering (mailto:s.shering () vqSoft com)has been notified
      in advance of this release via email.  This issue is very
      similar to the IIS issue.

 * XITAMI web server

- -- D E T A I L S --

 IIS / PWS -- Although this is not a major security problem for most,
       remote systems security is compromised as scripts can be
       executed.  File listings displayed (although security
       never truly existed on the "security through obscurity"
       model... *hint*hint* Microsoft....)

            * Service Pack 4/5 seems to fix this, but I have had it
            * occur after installing other software, so after
            * installing any package make sure you re-apply a service
            * pack.

       IIS Privileges are inherited from parent directories.
       Virtual Directories are not affected as they are VIRTUAL!

       Risk: extremely high
       How to reproduce:
         (do not perform this live on the Internet...)
         1) mkdir C:\inetpub\wwwroot\subdirectory\
         2) mkdir C:\inetpub\wwwroot\subdirectory\subdirectory2\
         3) set "C:\inetpub\wwwroot\subdirectory\" privileges to
listing
         4) set "C:\inetpub\wwwroot\" privileges to no listing
         5) request "http://localhost/subdir~1/";
         (you will see a listing for "subdirectory2")

    Serv-U -- Serv-U 2.5a has two known improperly checked commands.
       "cwd" and "site exec" both do not check the specified
       path against the access lists properly.

       Risk: high
       How to reproduce:
         1) mkdir C:\tmphome
         2) mkdir C:\tmphome\longsubdir\
         3) set permissions for "C:\tmphome\" for execute
         4) set permissions for "C:\tmphome\longsubdir\" _NO_
            execute
         5) place an exe in "C:\tmphome\longsubdir\"
         6) Login to serv-u
         7) run command "site exec C:\tmphome\longsu~1\exename.exe"
         8) Its running.

       ** Rob Beckers has told me a fix is in the works.

  vqServer -- This "exploit" is so similar to the IIS problem, you
       can go figure it out by yourself.

    Xitami -- (http://www.imatix.com/ -- info () imatix com)
       Imatix has been notified via email.
       Tested on: Xitami v2.4d2

There are probably numerous other services from other vendors
affected.
This has been a long known problem on Win32.  Please read:
http://www.securityfocus.com/templates/advisory.html?id=179

  "IIS 4.0 and PWS 4.0 maintain certain configuration information
  about directories and files in a database called the metabase.
  The metabase does not contain file permissions, but rather Web
  server-specific information such as requiring SSL encryption,
  proxy cache setting, and PICS ratings. Actual file and directory
  permissions are enforced by NTFS and are not affected by this
problem."

 Now this bulletin also states "Microsoft IIS 4.0 and PWS 4.0 with
the
 appropriate patch are not vulnerable."  Anyone care to post the url
 for this "patch" that I haven't seen?

- -- W H A T   T O   D O --
Administrators:
 You have 5 choices:
 1) Run apache.  A proven web server.  :)
 2) Wait for vendor patches
 3) Dial 911 and tell them somebody is breaking into your site
 4) unplug your computer and lock it in a sealed room
 5) Don't run windows as long as it maintains 8.3 support

Developers:
 Write two functions: getLongName() and getShortName()
  ... you figure the rest out, its not too hard.  API works...

- -- O T H E R   N O T E S --
 Apache (Win32 port) does _NOT_ appear to be affected
 Sambar WWW Server is not affected

Netscape previously fixed this problem: (from the CERT)
   Enterprise Server 3.51 - not vulnerable
   Enterprise Server 3.0 - A patch has been created to fix the
problem.
   FastTrack Server 2.01 - A patch has been created to fix the
problem.
   FastTrack Server 3.01 - A patch has been created to fix the
problem.

- -- P E R S O N A L   R A N T --
Anyone can pull numbers out of their butt, and Microsoft has done it,
AGAIN!

Comparing Linux to Windows NT
Look at:
http://www.microsoft.com/ntserver/nts/exec/compares/ntlinux.asp

"680 percent better as a Web server"
"623 percent better Web server price/performance" isn't Linux/Apache
Free?

I would like to publically ask Microsoft to remove this "report" from
their site as it is very inaccurate.

Microsoft,
Any beta programs open that I can get on? :)

- --

x-empt
lvhc () urban-a net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBN7XYWT0JSYszj2jyEQLmSgCfRdDc/fa4dGCdPSjiXfqXQdZ2e30AoMBb
v4ycZswIIst6uqMbbjEzHNh5
=D1Ti
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: