Re: /_vti_bin/_vti_aut/dvwssr.ddl

[Michael Katz <mike () procinct com>]

At 6/16/2002 11:19 AM, Armish wrote:

> When i was testing one my pcs about security,The program found a vuln. about
> /_vti_bin/_vti_aut/dvwssr.ddl . What is this file?How can it become a
> risk?How can I close this hole?(Too much questions,ha? :) ....)
> thanks for all answers...

Armish,

According to rain forest puppy's advisory at 
http://www.wiretrip.net/rfp/p/doc.asp/i2/d45.htm, "The NT 4 Option Pack 
ships with a particular ISAPI .dll in
/_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft 
FrontPage extensions (the version I have is 3.0.2.1105). This particular 
.dll allows you to read .asp (and .asa) files under the web root, providing 
you know the 'password' (obfuscated encoding scheme) of which to ask 
it.  And, as implied by the title, the constant key used in the encoding is 
"Netscape engineers are weenies!"."

Although there was some dispute about the encoding key, Microsoft issued 
Security Bulletin MS00-025, which is at 
http://www.microsoft.com/technet/security/bulletin/MS00-025.asp, which 
states, "Dvwssr.dll is a server-side component used to support the Link 
View feature in Visual Interdev 1.0. However, it contains an unchecked 
buffer. If overrun with random data, it could be used to cause an affected 
server to crash, or could allow arbitrary code to run on the server in a 
System context."

You can close the hole by deleting the file, as is recommended by 
Microsoft.  The only functionality lost is the "ability to generate link 
views of .asp pages using Visual Interdev 1.0."

Michael Katz
mike () procinct com
Procinct Security