Vulnerability Development mailing list archives
Re: dvwssr.dll (Has anyone verified whether is is valid?)
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Fri, 14 Apr 2000 21:05:55 -0700
If folks would like to discuss this, I'd like to ask some specific questions. I've never used the FP extensions, so allow me to ask the dumb questions. I also don't have an IIS server handy to test with. What normal/valid purpose does the dvwssr.dll have? From what I gather, since the weenie string is in both the client and server pieces, this is used in uploading stuff to the web server?
From rfp's code (and a bunch of my questions assume his code works
at least partially as advertised): $url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file)." HTTP/1.0\n\n"; Only the filename is encoded... it's not like the whole communication is scrambled in some way. What's the purpose of that? If it's all a permission issue, why scramble the filename? I assume one normally needs a username and password (or x.509 cert, maybe?) to use FP legitimately. I.e. if I'm using a FP-enabled hosting service, they should have assigned me some authentication stuff, right? Rfp's advisory makes mention of legitimate users being able to access other users' files. This would imply that I authenticate as myself first. I see no such authentication mechanism in his code. Does this code work against really poorly administered FP servers or something? What user context does FP normally run under? I would expect it to run as me, having more or less "logged in" as me when I authenticated to it... This is so normal NT permissions would be enforced. Marc mentions being able to upload arbitrary code... but am I still only executing as me? I.e. on a properly admin'd server, can I only screw myself/my site? Following up on that thought, what user do you get to be when twiddling with dvwssr.dll? What user does the CordSDI exploit get me? Assuming that I only get rights to my own files, is the getting other people's .asp files and such due to stupid NTFS perms? Is there something that makes it impractical to use NTFS perms, like if I'm hosting 10,000 sites, does that mean I'm also trying to admin 10,000 NT accounts? If it's just bad perms, then why all the trouble to do the encoding thing? Wouldn't i just be able to use a stock FP install to grab whatever files I want? BB
Current thread:
- Has anyone verified whether is is valid? M J (Apr 14)
- Re: Has anyone verified whether is is valid? Joe (Apr 14)
- Re: Has anyone verified whether is is valid? Ron DuFresne (Apr 14)
- Re: Has anyone verified whether is is valid? Ryan Permeh (Apr 14)
- Re: Has anyone verified whether is is valid? Maxime Rousseau (Apr 14)
- <Possible follow-ups>
- Re: Has anyone verified whether is is valid? Hugo Gayosso (Apr 14)
- Re: Has anyone verified whether is is valid? Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Oulook password Hap2782 (Apr 15)
- Re: Oulook password Blue Boar (Apr 15)
- [Fwd: R: Oulook password] Blue Boar (Apr 15)