Vulnerability Development mailing list archives
Re: dvwssr.dll (Has anyone verified whether is is valid?)
From: marc () EEYE COM (Marc)
Date: Fri, 14 Apr 2000 23:40:45 -0700
----- Original Message ----- From: Blue Boar <BlueBoar () THIEVCO COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Friday, April 14, 2000 9:05 PM Subject: Re: dvwssr.dll (Has anyone verified whether is is valid?) <snip> | What normal/valid purpose does the dvwssr.dll have? Nothing really. You don't need it. | I assume one normally needs a username and password (or x.509 cert, | maybe?) to use FP legitimately. I.e. if I'm using a FP-enabled hosting | service, they should have assigned me some authentication stuff, right? For NT services you use the same authentication mechanisms as a regular NT login. There is a file, service.lck, that I believe controls access to the FP web. Whatever permissions set on that file are what carry over to logins. | Rfp's advisory makes mention of legitimate users being able to access | other users' files. This would imply that I authenticate as myself | first. I see no such authentication mechanism in his code. Does | this code work against really poorly administered FP servers or | something? This code works against out of box NT4, SP4, IIS4, FP98 extensions that have not been locked down. By default Everyone has Admin access to the FP web. | What user context does FP normally run under? I would expect it to run | as me, having more or less "logged in" as me when I authenticated to | it... This is so normal NT permissions would be enforced. Marc | mentions being able to upload arbitrary code... but am I still | only executing as me? I.e. on a properly admin'd server, can I only screw | myself/my site? If you upload a program to say cgi-bin and you execute it.... it executes as IUSR_MACHINE. | Following up on that thought, what user do you get to be when twiddling | with dvwssr.dll? I believe IUSR_MACHINE. | What user does the CordSDI exploit get me? I asked them the same question and have been given no response. It depends how the DLL is called really. It possibly could be System (inetinfo.exe) or it could be IUSR_MACHINE. | Assuming that I only get rights to my own files, is the getting | other people's .asp files and such due to stupid NTFS perms? IUSR_MACHINE has access to most ASP files. | Is there something that makes it impractical to use NTFS perms, like | if I'm hosting 10,000 sites, does that mean I'm also trying to | admin 10,000 NT accounts? | | If it's just bad perms, then why all the trouble to do the encoding thing? | Wouldn't i just be able to use a stock FP install to grab whatever files I | want? Yes the encoding and this whole dll mess is really not needed. If you can access the dll then you can just as easily use FP explorer to upload files to the server. | BB | I think the only interesting to look into would be overflowing the DLL like core-sdi did. The questions that need to be answered are, Does everyone have permission to execute this dll? To my knowledge only default installs allow this and if your a default install your screwed in more ways then one anyway. The second question should be when it overflows what is the actual process thats overflowing? I'll look into this tomorrow but if someone has the chance to do so before me i'd love to know. Signed, Marc eEye Digital Security http://www.eEye.com
Current thread:
- Has anyone verified whether is is valid? M J (Apr 14)
- Re: Has anyone verified whether is is valid? Joe (Apr 14)
- Re: Has anyone verified whether is is valid? Ron DuFresne (Apr 14)
- Re: Has anyone verified whether is is valid? Ryan Permeh (Apr 14)
- Re: Has anyone verified whether is is valid? Maxime Rousseau (Apr 14)
- <Possible follow-ups>
- Re: Has anyone verified whether is is valid? Hugo Gayosso (Apr 14)
- Re: Has anyone verified whether is is valid? Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Oulook password Hap2782 (Apr 15)
- Re: Oulook password Blue Boar (Apr 15)
- [Fwd: R: Oulook password] Blue Boar (Apr 15)