razor.dvwssr.txt

`BindView RAZOR Team Analysis of DVWSSR.DLL Risks  
  
Risks Uncovered:  
================  
  
The risks of having dvwssr.dll are not as severe as originally reported in  
media outlets Friday morning, but still severe enough that system  
administrators responsible for NT systems to investigate. The risks  
involve whether or not a certain DLL is loaded, how rights are set, and  
potentially how Front Page 98 is used.  
  
1. If you have Microsoft NT 4 with the Option Pack loaded and FrontPage  
98, you have the vulnerable dvwssr.dll loaded.  
  
2. To run the dll remotely you need to have read access to the dll. This  
is not assigned by default. Typically on systems with multiple virtual  
hosts the administrator could have stuck everyone with a virtual host on  
the system into a group and given that group access to the dll. This would  
imply that any virtual host maintainer could look at other hosts' files.  
Obviously a misconfigured host might allow anonymous access, but this  
would require purposeful actions by the administrator for this to exist.  
  
3. The files in question are asp files. This dll gives you the ability to  
read asp source, so it is possible that hardcoded user names and passwords  
to backend systems may be viewed. This is essentially the risk that Rain  
Forest Puppy found.  
  
4. There exists a buffer overflow in the dvwssr.dll. At offset 0x581811C9  
in the DLL is an unchecked lstrcpy. By sending a large string of  
characters, the dvwssr.dll can be overflowed. By carefully constructing  
these characters, it is possible to remotely execute commands as "system"  
which can be used for elevating priviledges. The buffer overflow was  
uncovered by CoreSDI.  
  
5. In theory if you can get the hash of a user with the access, you can  
exploit the buffer overflow. This is called "passing the hash", and  
essentially means that you use the hash without cracking the password to  
authenticate to the target server. See  
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0  
for details from RAZOR's Paul Ashton on the basis for this technique. This  
technique is currently one of the stars of Foundstone's "Hacking Exposed:  
Live" presentations being put on by George Kurtz and Eric Schultze at  
security shows around the globe. Certainly in theory this could be adapted  
to this exploit.  
  
6. Sniffing the NT LanMan password hash being sent by a legitimate FP98  
user using L0phtcrack, and subsequently cracking the password would  
certainly give you the proper access to run the dll, and therefore elevate  
priviledges. This would of course mean that the sniffer would have to be  
located between the legit user and the target server, but is not beyond  
the realm of possibility.  
  
Detection of the DLL:  
=====================  
  
Detection is quite simple. The following examples use NetCat:  
  
Example 1:  
$ nc -v -w2 target.system 80  
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)  
  
HTTP/1.0 500 Server Error (The system could not find the environment  
option that was entered. )  
  
The 500 error means dvwssr.dll is not present.  
  
Example 2:  
$ nc -v -w2 target.system 80  
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)  
  
HTTP/1.0 401 Access Denied  
  
The 401 error means dvwssr.dll is present but you do not have the rights to it.  
  
Example 3:  
$ nc -v -w2 target.system 80  
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)  
  
Connection closed by foreign host.  
  
The connection closed means that you had the rights to run the DLL, but  
since no parameters were passed the connection was completed.  
  
Users of BindView's HackerShield can use the Rapid Fire Update released on  
the evening of April 14 to detect the presense of the DLL on their systems  
they manage.  
  
Elimination of Vulnerability:  
=============================  
  
Microsoft's original recommendation of removal of the DLL still stands as  
this eliminates the vulnerability completely. See  
http://www.microsoft.com/technet/security/bulletin/ms00-025.asp for  
details.  
  
Credits  
=======  
  
The technical details in this analysis were provided by Todd Sabin and  
Paul Ashton of BindView's RAZOR team (in addition to information made  
public by Rain Forest Puppy and CoreSDI).  
  
- Simple Nomad - No rest for the Wicca'd -  
- [email protected] - www.nmrc.org -  
- [email protected] - razor.bindview.com -  
`