Re: dvwssr.dll (Has anyone verified whether is is valid?)

[marc () EEYE COM (Marc)]

----- Original Message -----
From: Blue Boar <BlueBoar () THIEVCO COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, April 14, 2000 9:05 PM
Subject: Re: dvwssr.dll (Has anyone verified whether is is valid?)

<snip>
| What normal/valid purpose does the dvwssr.dll have?

Nothing really. You don't need it.

| I assume one normally needs a username and password (or x.509 cert,
| maybe?) to use FP legitimately.  I.e. if I'm using a FP-enabled hosting
| service, they should have assigned me some authentication stuff, right?

For NT services you use the same authentication mechanisms as a regular NT
login. There is a file, service.lck, that I believe controls access to the
FP web. Whatever permissions set on that file are what carry over to logins.

| Rfp's advisory makes mention of legitimate users being able to access
| other users' files.  This would imply that I authenticate as myself
| first.  I see no such authentication mechanism in his code.  Does
| this code work against really poorly administered FP servers or
| something?

This code works against out of box NT4, SP4, IIS4, FP98 extensions that have
not been locked down. By default Everyone has Admin access to the FP web.

| What user context does FP normally run under?  I would expect it to run
| as me, having more or less "logged in" as me when I authenticated to
| it... This is so normal NT permissions would be enforced.  Marc
| mentions being able to upload arbitrary code... but am I still
| only executing as me?  I.e. on a properly admin'd server, can I only screw
| myself/my site?

If you upload a program to say cgi-bin and you execute it.... it executes as
IUSR_MACHINE.

| Following up on that thought, what user do you get to be when twiddling
| with dvwssr.dll?

I believe IUSR_MACHINE.

| What user does the CordSDI exploit get me?

I asked them the same question and have been given no response. It depends
how the DLL is called really. It possibly could be System (inetinfo.exe) or
it could be IUSR_MACHINE.

| Assuming that I only get rights to my own files, is the getting
| other people's .asp files and such due to stupid NTFS perms?

IUSR_MACHINE has access to most ASP files.

| Is there something that makes it impractical to use NTFS perms, like
| if I'm hosting 10,000 sites, does that mean I'm also trying to
| admin 10,000 NT accounts?
|
| If it's just bad perms, then why all the trouble to do the encoding thing?
| Wouldn't i just be able to use a stock FP install to grab whatever files I
| want?

Yes the encoding and this whole dll mess is really not needed. If you can
access the dll then you can just as easily use FP explorer to upload files
to the server.

| BB
|

I think the only interesting to look into would be overflowing the DLL like
core-sdi did. The questions that need to be answered are, Does everyone have
permission to execute this dll? To my knowledge only default installs allow
this and if your a default  install your screwed in more ways then one
anyway. The second question should be when it overflows what is the actual
process thats overflowing? I'll look into this tomorrow but if someone has
the chance to do so before me i'd love to know.

Signed,
Marc
eEye Digital Security
http://www.eEye.com