RE: Microsoft IIS - Possible authentication flaw?

["ZeroBreak" <ZeroBreak () softhome net>]

I found this quite interesting. However do to time restraints I didn't
have long to sit here and play tonight :(. My test's were done using IIS
5.0 with service pack 2 and up to date with all hot fixes that pertain
to it. In my test's I found that sending the % followed by any number
and then any character will result the strange event logs. I.e.: '%11'
works just the same as '%1p' or '%9b' etc... But with that it will yield
2 event logs. (This does leave normal traces behind in the IIS logs, so
it's not untraceable).

I haven't been able to get any similar results using anything other than
'%' + num + any_char combinations. But like I said all '%' + num +
any_char combinations worked.

        [Event Log 1 of 2 with %11]
        Date: 5/28/2002
        Time: 21:36
        Type: Failure
        User: NT AUTHORITY\SYSTEM
        Computer: SERVER
        Source: Security
        Category: Logon/Logoff
        Event ID: 529
        Description:
                Reason:                 Unknown user name or password
                User Name:                      %11
                Domain:                 %2
                Logon Type:                     %3
                Logon Process:          %4
                Authentication Package: %5
                Workstation Name:               %6

        [Event Log 2 of 2 with %11]
        Date: 5/28/2002
        Time: 21:36
        Type: Failure
        User: NT AUTHORITY\SYSTEM
        Computer: SERVER
        Source: Security
        Category: Account Logon
        Event ID: 681
        Description:
                The logon to account: %11
                by: %1
                from workstation: %3
                failed. The error code was: %4

But what I found even more interesting is when we fill our username box
in the authentication dialog. By sending
'%1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' as our username we get much
different results as seen below.

In the second event log under the User Name: there was, in the event
log, a %1 followed by 25,600 a's. But for the sake of everyone else I
shortened it :).
        
        [Event Log 1 of 2 when filling the username box in the
authentication dialog]
        Date: 5/28/2002
        Time: 21:45
        Type: Success
        User: SERVER\Administrator
        Computer: SERVER
        Source: Security
        Category: Privilege Use
        Event ID: 578
        Description:
                Privileged object operation:
                        Object Server:          EventLog
                        Object Handle:          0
                        Process ID:                     248
                        Primary User Name:      SERVER$
                        Primary Domain:         WORKGROUP
                        Primary Logon ID:               (0x0,0x3E7)
                        Client User Name:               Administrator
                        Client Domain:          SERVER
                        Client Login ID:                (0x0,0xBDB5)
                        Privileges:
SeSecurityPrivilege

        [Event Log 2 of 2 when filling the username box in the
authentication dialog]
        Date: 5/28/2002
        Time: 21:45
        Type: Failure
        User: NT AUTHORITY\SYSTEM
        Computer: SERVER
        Source: Security
        Category: Logon/Logoff
        Event ID: 537
        Description:
                Logon Failure:
                        Reason:                 An unexpected error
occurred during logon
                        User Name:                      %1(a * 25,600)
                        Domain:                 %2
                        Logon Type:                     %3
                        Logon Process:          %4
                        Authentication Package: %5
                        Workstation Name:               %6
                        

Like I said earlier I havn't really had time to play with this at all.
If anyone else finds anything interesting post to the list cause I would
definatly like to know :). Hopefully tommarow will allow more to for
play, hehe.

        ZeroBreak
        (ZeroBreak () softhome net) or (ZeroBreak () mailandnews com)




-----Original Message-----
From: root () synopse homeip net [mailto:root () synopse homeip net] 
Sent: Monday, May 27, 2002 4:37 PM
To: vuln-dev () securityfocus com
Subject: Microsoft IIS - Possible authentication flaw?




Greetings,

I was playing around with Microsoft IIS 5.1 when I noticed 

something very weird. If you go to a directory which has 

basic authentication enabled, and enter the string: %1p as 

the login, it will put this into the event logs under the

system subsection:



Event Type: Warning

Event Source: W3SVC

Event Category: None

Event ID: 100

Date:  14/05/2002

Time:  2:21:35 PM

User:  N/A

Computer: WINDOWS

Description:

The server was unable to logon the Windows NT account

'%

1ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp

pppppppppppppppppppppppppppppppppppppppp' due to the 

following error: %2 The data is the error code.



For additional information specific to this message please 

visit the Microsoft Online Support site located at:

http://www.microsoft.com/contentredirect.asp.



For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 2e 05 00 00               ....



(Note: The p after %1 can be any character it seems. I just 

used %1p as my

example.)



---



If you enter the string: %2 as the login, it will also put 

this into the event logs under the system sub section:



Event Type: Warning

Event Source: W3SVC

Event Category: None

Event ID: 100

Date:  14/05/2002

Time:  2:24:20 PM

User:  N/A

Computer: WINDOWS

Description:

The server was unable to logon the Windows NT 

account 'Logon failure: unknown user name or bad 

password. ' due to the following error: Logon

failure: unknown user name or bad password.  The data is 

the error code.



For additional information specific to this message please 

visit the Microsoft Online Support site located at:

http://www.microsoft.com/contentredirect.asp.



For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 2e 05 00 00               ....



--



If you repeat %2, or %1p it will produce longer entries in 

the event logs, depending on how many times you wish to 

repeat it. I've been playing with this for a while now, and 

it only appears that %2 and %1 (followed by a character) 

will cause these weird entries in the event logs. I tested 

this on Windows XP Pro with all updates and patches, 

running IIS 5.1.



Georgi Guninski confirmed that this format strings "flaw" 

is present in Windows 2000 with IIS 5.0, as well as the 

Microsoft FTP service.



I've given up on playing around with this "flaw", so I'm 

posting it to vuln-dev to let other people have a chance 

and see what else can be found.



Cheers,

0x00