Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSozniPACKETSTORM:11652
HistoryOct 26, 1999 - 12:00 a.m.

webfolders.txt

1999-10-2600:00:00
Sozni
packetstormsecurity.com
41
JSON
`If you have installed Microsoft Office 2000 or keep current on your Windows   
Updates, you may have noticed a new WebFolders namespace in Windows Explorer.   
WebFolders are a new concept designed to give Microsoft Office and FrontPage   
users the ability to publish and work with web content. The concept is that a   
web site becomes a part of Windows Explorer so that you can work with web   
content as if it were located locally or on a network drive.  
  
The fun part is that WebFolders have some significant weaknesses (inherited from   
FrontPage) and are such a new concept that it turns out they make a great entry   
point into a remote server. In fact, when you connect to a web folder you are   
doing exactly the same thing that FrontPage does when it connects to a remote   
web site. This vulnerability is nothing new and I doubt there will be any   
patches forthcoming because it mainly exploits ignorance and smugness more than   
server applications. Okay, so this is really about FrontPage and for some of you   
this may just be a review. Nonetheless, I am surprised how few people seem to   
understand how FrontPage security works.   
  
USING WEBFOLDERS  
  
As I mentioned previously, WebFolders work the same as FrontPage when connecting   
to web sites. Essentially when you add a new WebFolder, Explorer will send a   
Post request to /_vti_bin/_vti_aut/author.dll (among others), which is installed   
as a part of the FrontPage Server extensions. So when you are using WebFolders,   
you are really just using the FrontPage Server extensions. If as an anonymous   
user you do not have read and execute access to that file, the server try to get   
an NTLM or Basic authentication from you. If any of those credentials succeed,   
you will now have a new WebFolder mapped to the remote server's web root. Even   
better, if you are able to get to this point, you should have at least authoring   
rights on the server, which means that you will be able to do just about   
anything you want on this web site. And when this is used in combination with   
other known exploits, one can easily achieve full admin access to a server.  
  
Before getting into the technical details, lets look at what this all means and   
some of the issues involved here:  
  
1. Someone can remotely access at least a portion of your file system,   
including read, write, and execute permissions;  
2. Since it all works on port 80, this exploit could easily work through many   
firewalls configurations and intrusion detection systems;  
3. Since all file access is done through posts to author.dll, the specific   
files accessed will not show up in any logs and therefore you won't really   
know how much the attacker really did or what files he accessed (or   
installed);  
4. The exploit can easily be performed through proxy servers to more easily   
disguise the originating IP address;  
5. The login prompt is a good place to perform a brute-force attack (whether it   
shows up in the Event Log or triggers account lockouts, I have not yet   
tested). Another related fact is that in order to connect to a WebFolder,   
FrontPage requires that the author's account have the ability to log on   
locally. So if you do connect to a WebFolder you will be locally logged on   
to that server (something to think about);  
6. The permissions you have as the web author will normally be greater than   
those given to IUSR_MACHINE;  
7. Passwords are often stored in global.asa and other files which may be used   
to attack other servers;  
8. Most people do not realize that they are vulnerable since a default   
FrontPage installation does not implement any security restrictions and many   
people do not understand how to setup FrontPage security.  
  
HOW IT ALL WORKS  
  
On Windows NT and IIS, FrontPage security is basically controlled by the access   
rights to the three files Admin.dll, Author.dll, and Shtml.dll. These rights   
respectively determine administration, authoring, and browsing rights. For   
example, if a remote user is able to read and execute Admin.dll, then that user   
is able to administer the web site.  
  
The authentication dll's are structured as follows:  
  
Web Root  
\_vti_bin  
shtml.dll  
\_vti_aut  
author.dll  
\_vti_adm  
admin.dll  
  
When the post to author.dll succeeds, the client will then be able to browse the   
web site as if it were browsing the file system. And since an author has full   
authoring capabilities, he can also do things such as place executable files in   
the _vti_bin directory or other executable directories. Having user read,   
write, and execute access is just one step away from having full admin access.  
  
Properly called the FrontPage Remote Procedure Call Protocol, the exact   
procedure for connecting is as follows:  
  
First, Explorer sends the remote server an OPTIONS / HTTP/1.1 (I suppose to   
figure out if it can post). At this point it is sending a User-Agent of   
"Microsoft Data Access Internet Publishing Provider Cache Manager", although in   
later requests it sends a User-Agent of "MSFrontPage/4.0." So far I have seen   
few servers that dissallow the POST method so this usually succeeds (which makes   
me wonder why they even do it).  
  
Then it sends GET /_vti_inf.html HTTP/1.1. This is the basic configuration file   
for the FrontPage extensions. This tells Explorer that the FrontPage server   
extensions are installed and it looks for the line   
FPAuthorScriptUrl="_vti_bin/_vti_aut/author.dll". On IIS it will be author.dll   
and on all others it will be author.exe. Of course, if the file isn't there, we   
get a 404 and we know this server doesn't have FrontPage support.  
  
After it knows the location of the authoring binaries, it sends POST   
/_vti_bin/shtml.dll/_vti_rpc HTTP/1.1. Shtml.dll is the browse binary and is   
available to everyone. The post data is:   
method=server+version%3a4%2e0%2e2%2e2611, to which the server responds something   
like this:  
<html><head><title>vermeer RPC packet</title></head>  
<body>  
<p>method=server version:3.0.2.1706  
<p>server version=  
<ul>  
<li>major ver=3  
<li>minor ver=0  
<li>phase ver=2  
<li>ver incr=1706  
</ul>  
<p>source control=0  
</body>  
</html>  
  
Now Explorer knows the version (although it could have extracted this from the   
_vti_inf.html file) and can start its work. It sends a POST to   
/_vti_bin/_vti_aut/author.dll, which is the authoring binary. The post data is   
method=open+service%3a3%2e0%2e2%2e1706&service%5fname=%2f (notice how it now   
uses the server's version). This is where the authentication comes in. If the   
ACL of author.dll permits this request, the server responds with a bunch of   
settings, which is basically the /_vti_pvt/services.cnf file. There is nothing   
very interesting here, although some of the information could be used along with   
other exploits. The good part comes in this next request:  
  
POST /_vti_bin/_vti_aut/author.dll HTTP/1.1  
MIME-Version: 1.0  
User-Agent: MSFrontPage/4.0  
Accept: auth/sicily  
Content-Length: 241  
Content-Type: application/x-www-form-urlencoded  
X-Vermeer-Content-Type: application/x-www-form-urlencoded  
Connection: Keep-Alive  
  
method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=false&li  
stExplorerDocs=false&listRecurse=false&listFiles=true&listFolders=true&listLinkI  
nfo=false&listIncludeParent=true&listDerivedT=false&listBorders=false&initialUrl  
=  
  
This is where we get the good stuff. Of course as you can see, Explorer is   
being pretty nice (notice also the version number in the request). What we   
really want to do is change some of those settings like listHiddenDocs=True and   
listExplorerDocs=True and listLinkInfo=True and listIncludeParent=true. And of   
course, to browse other directories, you change the initialURL value (i.e.,   
initialUrl=cgi%2dbin).   
  
To retreive a file, you send this as the POST data:  
method=get+document%3a3%2e0%2e2%2e1105&service%5fname=&document%5fname=about%2fd  
efault%2ehtm&old%5ftheme%5fhtml=false&force=true&get%5foption=none&doc%5fversion  
=  
  
In all I have found many commands you can send. I haven't tested them nor do I   
know their exact parameters and I'm not sure if they can all be used remotely,   
but there is certainly much room for exploring. And some commands are limited   
to admins while others are available to authors as well. In fact, some commands   
are available to everyone. Thats how FrontPage is able to list subwebs of a   
site without logging in.  
  
FRONT PAGE SECURITY  
  
Unfortunately, when you install the FrontPage server extensions, there are no   
security limitations implemented. And it is very easy to get confused because   
the whole thing is based on the ACLs of a few files. It would be very easy even   
for even an experienced admin to overlook FrontPage security. Imagine this   
scenario:  
  
A company is using FrontPage to author their public web site. Their web server   
is considered very secure and the administrator has taken many steps to keep   
hackers out. The network firewall restrictions are very tight, so that web and   
FTP access is all that anyone gets. The administrator knows that the FrontPage   
server extensions aren't as strong as they should be so he has the web developer   
author the web site on his own Windows 98 computer then use FTP to upload to the   
server. The web developer has installed the personal web server that comes with   
FrontPage so that he has his own local copy of the web that he uses for   
development. His computer is on the internal network and is not exposed to the   
internet. In fact, it is nowhere near the internet since it is in his office   
which is across the building from the server.  
  
Then along comes a hacker that is trying to break in to their web site. He sees   
that main web server is very secure so he does a zone transfer for that company   
and finds they own a whole class c network. He scans the internal network but   
his pings fail and it appears that a firewall is in place. He then scans their   
network for port 80 and sees that it isn't being filtered. In fact, he has   
located several ports open, one on a seemingly insignificant box. He types that   
address into his browser and finds that it seems to be a mirror of their main   
site. But then he tries to create a WebFolder with that address and it   
immediately connects without even prompting for a password. He starts his work,   
grabbing global.asa to get their SQL Server password, installing a few trojan   
ASP pages, one which allows querying the SQL Server database and then the usual   
cmd.exe, nc.exe, getadmin.exe, and/or perl.exe executables. About an hour later   
he has everything he wants (whatever that may be) as well as a few extras, such   
as this company's login to the Microsoft's Solution Partner area and some porn   
he found in the developer's internet cache. When he's done, he deletes his   
files and doesn't even bother with logs since it's not even logging (why should   
it, its just a development system?). He does leave in one inconspicious trojan   
ASP page hoping that it will eventually make its way to the main web server then   
he closes the WebFolder and he's done.  
  
Sure, some of you may say that this vulnerability is dependent upon some   
misconfigurations and oversights but unfortunately (or fortunately, depending on   
who you are) these misconfigurations and oversights are way too common. If   
FrontPage doesn't prompt you for a password when you open your site, it won't be   
prompting anyone else either. And what if someone just installed FrontPage to   
check it out but never used it? This site will still be vulnerable even though   
they may have never created a FrontPage web. Or what if the web author gets   
sick of entering a password each time he connects so just sets his password   
blank? The sad fact is that as long as there are passwords, there will always   
be bad passwords. How secure is that copy of FrontPage you run on your own   
system? Have you checked?  
  
To test a site, you can either open it in FrontPage, add it as a WebFolder, or   
here's another way:  
  
Create a file named listdocuments that contains the following (you will want to   
change the host):  
  
POST /_vti_bin/_vti_aut/author.dll HTTP/1.1  
MIME-Version: 1.0  
Accept: auth/sicily  
Content-Length: 219  
Host: www.yourhosthere.com  
Content-Type: application/x-www-form-urlencoded  
X-Vermeer-Content-Type: application/x-www-form-urlencoded  
Connection: Keep-Alive  
  
method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&lis  
tExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInf  
o=false&listIncludeParent=true&listDerived=false&listBorders=false  
  
Then using NetCat, do something like this:  
  
nc -v www.targethost.com 80 < listdocuments  
  
Another interesting point is that since FrontPage security is based on ACLs   
those three FrontPage dll files, a file system such as FAT that doesn't have   
ACLs will be completely open to WebFolder connections no matter what you do.  
  
Another thing I would like to point out is that since WebFolders and FrontPage   
connect to sites the same way, you could also use the FrontPage Explorer to   
connect to a site. The benefit of using the FrontPage Explorer is that you can   
also change permissions on files and view hidden directories and files. Another   
interesting point is that ADO 2.5 provides OLE DB access to web folders so it   
would be very easy to write a script or application that will scan networks for   
vulnerable servers. And of course you could also use any Office 2000   
application and VBA to connect to remote servers. Finally, interactive and   
network accounts can list the directories (rx) of the web root. This is so that   
the FrontPage Explorer can list the sub webs. If you use FrontPage Explorer to   
connect to a web site, you will be given a list of sub webs to connect to as   
well. This can be done by anyone without any authentication  
  
Given some thought, one could take these concepts a lot farther. Here are some   
other concepts to ponder:  
  
1. Administrators are always given full admin access to FrontPage webs so   
that may be a good user to use in a brute-force attack;  
2. FrontPage has executable access to many system dll's including   
msvcrt40.dll, netapi32.dll, rpcltcl.dll, samlib.dll, and wsock32.dll;  
3. If IIS is set to run dll's in-process, then one could replace the   
FrontPage dll's with a trojan. These dll's do not even have to be in the   
same location, just named the same;  
4. A user's local login and password may be sent to the server using basic   
authentication without the user knowing it  
  
The FrontPage is a wonderful world full of unexplored exploits and   
vulnerabilities. Its a shame more time hasn't been spent exploring this more.   
It also goes to show that the more we try to close doors, the more software   
vendors open up new ones. Forget BO2k and NetBus, Microsoft did a much better   
job.  
  
.sozni  
  
  
`
JSON