PROBLEM: Several vulnerabilites may be exploited in Microsoft's Internet Information Server (IIS). PLATFORM: All platforms running IIS versions 1.0, 2.0, 3.0, and 4.0 DAMAGE: An outsider can gain access to the source code of scripts, possibly containing usernames and passwords, locations of MS Access MDB files or other sensitive information. SOLUTION: Apply the patches indicated below. Install Service Pack 1 for Windows 2000.
VULNERABILITY The risk is HIGH. The vulnerabilites and exploits have been ASSESSMENT: discussed in public forums.
[ Start iDEFENSE Analysis Report ] Automated Web Interface Scans IIS for Multiple Vulnerabilities A newly released automated Web interface scans Microsoft's Internet Information Server (IIS) for multiple reported IIS vulnerabilities. Through successful exploitation of these vulnerabilities, an attacker can gain access to the source code of scripts, possibly containing usernames and passwords, locations of MS Access MDB files or other sensitive information. This Web interface could be used to scan unsuspecting systems to identify vulnerabilities prior to an attack. Using the automated Web interface, a Czech Republic security firm reported being able to penetrate dozens of systems and obtain information from email addresses to usernames and passwords. This interface is publicly available on a Web site hosted in the Czech Republic. Due to the public release of this interface, coupled with the long length of time these vulnerabilities have been known, iDEFENSE Intelligence Services expects an increase of exploits against systems operating IIS. The following vulnerabilities are among those being scanned for by the automated Web interface: Codebrws.asp Codebrws.asp is a viewer file that ships with Microsoft IIS, but is not installed by default. The viewer is intended to be installed by the administrator to allow for the viewing of sample files as a learning exercise; however, the viewer does not restrict what files can be accessed. A remote attacker can exploit this vulnerability to view the contents of any file on the victim's server. However, there are several issues to be aware of: 1. Codebrws.asp is not installed by default. 2. The vulnerability only allows for viewing of files. 3. The vulnerability does not bypass WindowsNT Access Control Lists (ACLs). 4. Only files in the same disk partition can be viewed. 5. Attackers must know the location of the requested file. Microsoft has released a patch for this vulnerability located at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/. Null.htw Microsoft IIS running with Index Server contains a vulnerability through Null.htw even if no .htw files exist on the server. The vulnerability displays the source code of an ASP page or other requested file. The ability to view ASP pages could provide sensitive information such as usernames and passwords. An attacker providing IIS with a malformed URL request could escape the virtual directory, providing access to the logical drive and root directory. The "hit-highlighting" function in the Index Server does not adequately restrain what types of files may be requested, allowing an attacker to request any file on the server. Microsoft has released a patch for Windows 2000 addressing this vulnerability. The patch is located at http://www.microsoft.com/downloads/release.asp?ReleaseID=17726. +.HTR The +.HTR vulnerability (iAlert, July 17, 2000), allows for the viewing of certain file types. Requesting a filename with an appendage of "+" and .htr will force IIS to call ISM.DLL ISAPI to open the target file. If the target file is not a .HTR file, part of the target files source code will be revealed. Microsoft has released a patch addressing the .HTR vulnerability located at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709 for version 4.0 and http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708 for version 5.0. Translate:f A newly reported vulnerability in Microsoft's IIS is the Translate:f vulnerability. An attacker requesting a file with a specialized header and one of several particular characters at the end will prevent ISAPI processing from taking place. This will allow for the display of the source code of the requested file, including .ASP pages. Microsoft has released a patch addressing this vulnerability located at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769. $DATA The $DATA vulnerability, published in mid-1998, results from an error in the way the Internet Information Server parses file names. $DATA is an attribute of the main data stream (which holds the "primary content") stored within a file on NT File System (NTFS). By creating a specially constructed URL, it is possible to use IIS to access this data stream from a browser. Doing so will display the code of the file containing that data stream and any data that file holds. This method can be used to display a script-mapped file that can normally be acted upon only by a particular Application Mapping. The contents of these files are not ordinarily available to users. However, in order to display the file, the file must reside on the NTFS partition and must have ACLs set to allow at least read access; the unauthorized user must also know the file name. Microsoft Windows NT Server's IIS versions 1.0, 2.0, 3.0 and 4.0 are affected by this vulnerability. Microsoft has produced a hotfix for IIS versions 3.0 and 4.0. The fix involves IIS "supporting NTFS alternate data streams by asking Windows NT to make the file name canonical" according the Microsoft. The fixes are available from: ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-d atafix/iis3fixi.exe for IIS 3.0 on Intel, ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-d atafix/iis3fixa.exe for IIS 3.0 on Alpha, ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis4-d atafix/iis4fixi.exe for IIS 4.0 on Intel and ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/ iis4-datafix/iis4fixa.exe for IIS 4.0 on Alpha. Customers are strongly urged to obtain Service Pack 1 for Windows 2000. Service Pack 1 contains fixes for these vulnerabilities in IIS 4.0 and 5.0 along with patches for several unrelated vulnerabilities. Service Pack 1 for Windows 2000 may be obtained from http://www.microsoft.com/windows2000/downloads/recommended/sp1/x86Lang. asp. [ End iDEFENSE Analysis Report ]
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: firstname.lastname@example.org World Wide Web: http://www.ciac.org/ http://ciac.llnl.gov (same machine -- either one will work) Anonymous FTP: ftp.ciac.org ciac.llnl.gov (same machine -- either one will work)