Vulnerability Development mailing list archives

Re: dvwssr.dll (Has anyone verified whether is is valid?)

From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Fri, 14 Apr 2000 21:05:55 -0700


If folks would like to discuss this, I'd like to ask some specific
questions.  I've never used the FP extensions, so allow me to ask the
dumb questions.  I also don't have an IIS server handy to test with.

What normal/valid purpose does the dvwssr.dll have?  From what I gather,
since the weenie string is in both the client and server pieces, this
is used in uploading stuff to the web server?

From rfp's code (and a bunch of my questions assume his code works

at least partially as advertised):

$url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file)."
HTTP/1.0\n\n";

Only the filename is encoded... it's not like the whole communication is
scrambled in some way.  What's the purpose of that?  If it's all a
permission issue, why scramble the filename?

I assume one normally needs a username and password (or x.509 cert,
maybe?) to use FP legitimately.  I.e. if I'm using a FP-enabled hosting
service, they should have assigned me some authentication stuff, right?

Rfp's advisory makes mention of legitimate users being able to access
other users' files.  This would imply that I authenticate as myself
first.  I see no such authentication mechanism in his code.  Does
this code work against really poorly administered FP servers or
something?

What user context does FP normally run under?  I would expect it to run
as me, having more or less "logged in" as me when I authenticated to
it... This is so normal NT permissions would be enforced.  Marc
mentions being able to upload arbitrary code... but am I still
only executing as me?  I.e. on a properly admin'd server, can I only screw
myself/my site?

Following up on that thought, what user do you get to be when twiddling
with dvwssr.dll?

What user does the CordSDI exploit get me?

Assuming that I only get rights to my own files, is the getting
other people's .asp files and such due to stupid NTFS perms?

Is there something that makes it impractical to use NTFS perms, like
if I'm hosting 10,000 sites, does that mean I'm also trying to
admin 10,000 NT accounts?

If it's just bad perms, then why all the trouble to do the encoding thing?
Wouldn't i just be able to use a stock FP install to grab whatever files I
want?

                                                BB

Current thread:

Has anyone verified whether is is valid? M J (Apr 14)
- Re: Has anyone verified whether is is valid? Joe (Apr 14)
- Re: Has anyone verified whether is is valid? Ron DuFresne (Apr 14)
- Re: Has anyone verified whether is is valid? Ryan Permeh (Apr 14)
- Re: Has anyone verified whether is is valid? Maxime Rousseau (Apr 14)
- <Possible follow-ups>
- Re: Has anyone verified whether is is valid? Hugo Gayosso (Apr 14)
- Re: Has anyone verified whether is is valid? Marc (Apr 14)
  - Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
    - Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 14)
    - Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 15)
    - Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 15)
    - Oulook password Hap2782 (Apr 15)
    - Re: Oulook password Blue Boar (Apr 15)
    - [Fwd: R: Oulook password] Blue Boar (Apr 15)