-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Automated Web Interface Scans IIS for Multiple Vulnerabilities August 16, 2000 16:00 GMT Number K-068 ______________________________________________________________________________ PROBLEM: Several vulnerabilites may be exploited in Microsoft's Internet Information Server (IIS). PLATFORM: All platforms running IIS versions 1.0, 2.0, 3.0, and 4.0 DAMAGE: An outsider can gain access to the source code of scripts, possibly containing usernames and passwords, locations of MS Access MDB files or other sensitive information. SOLUTION: Apply the patches indicated below. Install Service Pack 1 for Windows 2000. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The vulnerabilites and exploits have been ASSESSMENT: discussed in public forums. ______________________________________________________________________________ [ Start iDEFENSE Analysis Report ] Automated Web Interface Scans IIS for Multiple Vulnerabilities A newly released automated Web interface scans Microsoft's Internet Information Server (IIS) for multiple reported IIS vulnerabilities. Through successful exploitation of these vulnerabilities, an attacker can gain access to the source code of scripts, possibly containing usernames and passwords, locations of MS Access MDB files or other sensitive information. This Web interface could be used to scan unsuspecting systems to identify vulnerabilities prior to an attack. Using the automated Web interface, a Czech Republic security firm reported being able to penetrate dozens of systems and obtain information from email addresses to usernames and passwords. This interface is publicly available on a Web site hosted in the Czech Republic. Due to the public release of this interface, coupled with the long length of time these vulnerabilities have been known, iDEFENSE Intelligence Services expects an increase of exploits against systems operating IIS. The following vulnerabilities are among those being scanned for by the automated Web interface: Codebrws.asp Codebrws.asp is a viewer file that ships with Microsoft IIS, but is not installed by default. The viewer is intended to be installed by the administrator to allow for the viewing of sample files as a learning exercise; however, the viewer does not restrict what files can be accessed. A remote attacker can exploit this vulnerability to view the contents of any file on the victim's server. However, there are several issues to be aware of: 1. Codebrws.asp is not installed by default. 2. The vulnerability only allows for viewing of files. 3. The vulnerability does not bypass WindowsNT Access Control Lists (ACLs). 4. Only files in the same disk partition can be viewed. 5. Attackers must know the location of the requested file. Microsoft has released a patch for this vulnerability located at . Null.htw Microsoft IIS running with Index Server contains a vulnerability through Null.htw even if no .htw files exist on the server. The vulnerability displays the source code of an ASP page or other requested file. The ability to view ASP pages could provide sensitive information such as usernames and passwords. An attacker providing IIS with a malformed URL request could escape the virtual directory, providing access to the logical drive and root directory. The "hit-highlighting" function in the Index Server does not adequately restrain what types of files may be requested, allowing an attacker to request any file on the server. Microsoft has released a patch for Windows 2000 addressing this vulnerability. The patch is located at http://www.microsoft.com/downloads/release.asp?ReleaseID=17726. +.HTR The +.HTR vulnerability (iAlert, July 17, 2000), allows for the viewing of certain file types. Requesting a filename with an appendage of "+" and .htr will force IIS to call ISM.DLL ISAPI to open the target file. If the target file is not a .HTR file, part of the target files source code will be revealed. Microsoft has released a patch addressing the .HTR vulnerability located at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709 for version 4.0 and http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708 for version 5.0. Translate:f A newly reported vulnerability in Microsoft's IIS is the Translate:f vulnerability. An attacker requesting a file with a specialized header and one of several particular characters at the end will prevent ISAPI processing from taking place. This will allow for the display of the source code of the requested file, including .ASP pages. Microsoft has released a patch addressing this vulnerability located at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769. $DATA The $DATA vulnerability, published in mid-1998, results from an error in the way the Internet Information Server parses file names. $DATA is an attribute of the main data stream (which holds the "primary content") stored within a file on NT File System (NTFS). By creating a specially constructed URL, it is possible to use IIS to access this data stream from a browser. Doing so will display the code of the file containing that data stream and any data that file holds. This method can be used to display a script-mapped file that can normally be acted upon only by a particular Application Mapping. The contents of these files are not ordinarily available to users. However, in order to display the file, the file must reside on the NTFS partition and must have ACLs set to allow at least read access; the unauthorized user must also know the file name. Microsoft Windows NT Server's IIS versions 1.0, 2.0, 3.0 and 4.0 are affected by this vulnerability. Microsoft has produced a hotfix for IIS versions 3.0 and 4.0. The fix involves IIS "supporting NTFS alternate data streams by asking Windows NT to make the file name canonical" according the Microsoft. The fixes are available from: ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-d atafix/iis3fixi.exe for IIS 3.0 on Intel, ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-d atafix/iis3fixa.exe for IIS 3.0 on Alpha, ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis4-d atafix/iis4fixi.exe for IIS 4.0 on Intel and ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/ iis4-datafix/iis4fixa.exe for IIS 4.0 on Alpha. Customers are strongly urged to obtain Service Pack 1 for Windows 2000. Service Pack 1 contains fixes for these vulnerabilities in IIS 4.0 and 5.0 along with patches for several unrelated vulnerabilities. Service Pack 1 for Windows 2000 may be obtained from http://www.microsoft.com/windows2000/downloads/recommended/sp1/x86Lang. asp. [ End iDEFENSE Analysis Report ] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of iDEFENSE, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-067: FreeBSD dhclient Vulnerable to Malicious DHCP Server K-066: IRIX telnetd Vulnerability K-065: Microsoft "Specialized Header" Vulnerability K-064: Linux Kernel Capability Vulnerability K-063: Netscape Java Vulnerability K-062: Vulnerabilities in Lotus Notes Domino Aired at DefCon 8 K-061: Microsoft Office HTML and IE Script Vulnerabilities K-060: Microsoft's Malformed E-Mail Header Vulnerability K-059: Microsoft DTS Password Vulnerability K-058: OpenSSH UseLogin Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOZrNe7nzJzdsy3QZAQFIOwP+K9B8A12BLl0VRNBSqJS8C3rE1a8jcGCf Ieq6bUQurrLRc1KbhfQAhgISPKMV4J199w441S4rjklQazk7nVfMDsfu5qXLOs3J 6er8pZhcaKjtUyoeCNBy0apkCWBg5wV3lANXNpP+k2yqRU7LKf6S9j9WjDXXv8XH daTNdzgAt3w= =nT5g -----END PGP SIGNATURE-----