RE: Microsoft IIS - Possible authentication flaw?

["Tiago Halm" <thalm () netcabo pt>]

After doing some research, here goes:

W3SVC service has the "EventMessageFile" located at:
- c:\winnt\system32\inetsrv\w3svc.dll
This file contains the messages written to the event log in case of errors.

In this specific matter, the EventID 0x80000064 (event viewer only shows the
last eight bits = 0x64 = 100) corresponds to the following message
- The server was unable to logon the Windows NT account '%1' due to the
following error: %2

In normal circunstances the parameters get replaced by the following:
- %1 = <username typed in the authentication dialog box>
- %2 = Logon failure: unknown user name or bad password.

Everytime an event occurs, the EventID, the parameters and other stuff get
stored in the corresponding logfile (in this case - system) which is a file
in the hard-disk.

There are 2 ways to read the event log (system, application, etc). The 1st,
and most used is "Event Viewer". The 2nd is building your own event viewer
using Event Log functions like:
- BackupEventLog
- ClearEventLog
- CloseEventLog
- DeregisterEventSource
- GetEventLogInformation
- GetNumberOfEventLogRecords
- GetOldestEventLogRecord
- NotifyChangeEventLog
- OpenBackupEventLog
- OpenEventLog
- ReadEventLog
- RegisterEventSource
- ReportEvent

I've read the event log using one of the samples that comes with Platform
SDK, located at "samples\winbase\Debug\eventlog". Where the "Event Viewer"
displays '%1aaaaaa....' (exactly 100 'a'), this sample displays just '%1aa'.
The sample, by the way, does not use FormatMessage to build the event
message, the sample replaces the '%1' and '%2' by hand. The FormatMessage
function is only used to retrieve the following string:
- The server was unable to logon the Windows NT account '%1' due to the
following error: %2
The data is the error code.
For additional information specific to this message please visit the
Microsoft Online Supp
ort site located at: http://www.microsoft.com/contentredirect.asp.

This leads me to the following two conclusions:
1. There is definitely an error going on, but I believe the error is inside
the "Event Viewer" application that comes with the operating system.
2. There may be an error with Inetinfo.exe. Inetinfo may be using the
ReportEvent function incorrectly sending to the event log an event with the
number of strings (see the ReportEvent function in MSDN) and the strings
themselves incorrect.

NOTE: By the way, if you enter '%2p' in the username, the 'p' gets
concatenated to:
- Logon failure: unknown user name or bad password.
as this:
- Logon failure: unknown user name or bad password. p
and the parameter '%1' of the message included in the message file
"w3svc.dll" gets replaced with it. Why ? Well, read my 2nd conclusion again.

One final touch, I've found that each character placed after '%1' get
repeated 100 times. So '%1aaa' leaves you with '%1' followed by 300 'a's.

Well, enough for now. Hope all is correct. There is much more to study here,
but I think Microsoft has definitely a situation here, although I wouldn't
consider as serious. Just a bug fix IMHO.

Cheers,
Tiago Halm