-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
File Access Issue With Internet Information Server
July 9, 1998 15:00 GMT Number I-068
______________________________________________________________________________
PROBLEM: A vulnerability has been identified that affects Microsoft
Internet Information Server (IIS).
PLATFORM: Microsoft Internet Information Server (IIS) versions 1.0, 2.0,
3.0, 4.0.
Microsoft Peer Web Server version 2.0, 3.0.
Microsoft Personal Web Server version 4.0 on Windows NT 4.0
workstation.
DAMAGE: Web clients with "read access" have access to read any NTFS
file in the IIS v-root directory (virtual root).
SOLUTION: Upgrade or apply hotfixes.
______________________________________________________________________________
VULNERABILITY Microsoft urges you to act on this information as soon as
ASSESSMENT: possible.
______________________________________________________________________________
[ Start Microsoft Advisory ]
Microsoft Security Bulletin (MS98-003)
File Access issue with Internet Information Server
Last Revision: July 8, 1998
Summary
=======
Recently Paul Ashton reported an issue on the NTBugtraq mailing
list (http://www.ntbugtraq.com) that affects Microsoft Internet
Information Server (IIS). Web clients that connect to IIS can read
the contents of any NTFS file in an IIS v-root directory to which
they have been granted "read access". They can read these files
even if the file is marked for "applications mappings", such as
used with Active Server Pages scripts.
The purpose of this bulletin is to inform Microsoft customers of this
issue, its applicability to Microsoft products, and the availability
of countermeasures Microsoft has developed to further secure its
customers.
Issue
=====
The native Microsoft(r) Windows NT(r) file system, NTFS, supports
multiple data streams within a file. The main data stream, which stores
the primary content has an attribute called $DATA. Accessing this NTFS
stream via IIS from a browser may display the contents of a file that
is normally set to be acted upon by an Application Mapping.
For example, .ASP files are mapped such that they are executed by
the Active Server Pages scripting agent on the server, rather than
simply returning the contents of a file, as is done with standard
.htm files. Normally direct contents of the these script-mapped
files should not be returned to the user. However, by requesting the
file using the its complete data stream name, a web browser could
obtain the contents of the script file. In some cases, the file
might contain sensitive information such as embedded passwords or
other sensitive "business logic" information.
This issue does not give the user, who was able to access the script
file, the ability to alter the script on the server, or force the server
to run any arbitrary code. The only exposure here is to the plain text
contents of the script file.
The issue is a result of how IIS parses filenames. The fix involves
IIS supporting NTFS alternate data streams by asking Windows NT to
canonicalize the filename.
For the problem to occur:
- The user must know the name of the file
- The ACLs on the file must allow the user read access
- The file must reside on an NTFS partition
Affected Software Versions
==========================
- Microsoft Internet Information Server versions 1.0, 2.0, 3.0, 4.0
- Microsoft Peer Web Server versions 2.0, 3.0
- Microsoft Personal Web Server version 4.0 on Windows NT 4.0 Workstation
What Microsoft is Doing
=======================
The Microsoft Product Security Response Team has produced a hotfix for
Microsoft Internet Information Server versions 3.0 and 4.0.
Additionally, some administrative workarounds are included below.
What customers should do
========================
Microsoft strongly recommends that customers using IIS versions 3.0
and 4.0 should apply the hotfix.
Customers running previous versions of IIS should upgrade to a more
recent version (3.0 or 4.0).
The following hotfixes are available from the Microsoft FTP download
server under
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/
IIS 3.0 (Intel x86) hotfix /iis3-datafix/iis3fixi.exe
IIS 3.0 (Alpha) hotfix /iis3-datafix/iis3fixa.exe
IIS 4.0 (Intel x86) hotfix /iis4-datafix/iis4fixi.exe
IIS 4.0 (Alpha) hotfix /iis4-datafix/iis4fixa.exe
As localized versions of this hotfix are produced, they will appear
in the respective language directories under
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/(lang)/security
Administrative workaround
=========================
Customers who cannot apply the hot fix can use the following workaround
to temporarily address this issue:
Normally, web users do not need "read" access to script files, such
as .ASP files. They simply need "execute" permissions. Removing "read"
access to these files for non-administrative users will remove this
exposure.
For additional protection, the Application Maps can be modified in
IIS 4.0 to take into account the existence of the alternate data
streams. More details on this workaround are available in the
Microsoft Knowledge Base article Q188806 (see the "More Information"
section below for the URL).
In addition, the following practices can help to further improve
security for your IIS servers:
- Periodically review the users and groups who have access to the web
server: Review the users and groups and their permissions to ensure
that only valid users have the appropriate permissions.
- Use auditing to detect for suspicious activity: Apply auditing
controls on sensitive files and review these logs periodically to
detect suspicious or unauthorized behavior.
- Set "read" and "execute" permissions appropriately: ASP and other
script files do not need to be readable by users that access them
through IIS, rather they need to be executable. Thus, it is
advisable to remove "read" access from these files for normal users.
More Information
================
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin 98-003, File Access issue with Internet
Information Server (the web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms98-003.htm
- Microsoft Knowledge Base article Q188806, NTFS Alternate Data Stream
Name of a File May Return Source,
http://support.microsoft.com/support/kb/articles/q188/8/06.asp
- Microsoft Knowledge Base article Q105763, HOWTO: Use NTFS Alternate
Data Streams,
http://support.microsoft.com/support/kb/articles/q105/7/63.asp
Revisions
=========
July 2, 1998: Bulletin Created
July 6, 1998: Updated information on the availability of hotfix for IIS
4.0 and Alpha version as well. Added additional information
on workaround, and more thorough issue description.
July 8, 1998: Updated to include information about localized versions of
the hotfix. Updated information about products affected.
For additional information on security with Microsoft products, please visit
http://www.microsoft.com/security
==============================================================================
=
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY
OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION
MAY NOT APPLY.
(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.
[ End Microsoft Advisory ]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
I-058: SunOS rpc.nisd Vulnerability
I-059: SUN ftpd Vulnerability
I-060: SGI IRIX OSF/DCE Denial of Service Vulnerability
I-061: SGI IRIX mediad(1M) Vulnerability
I-062: SGI IRIX BIND DNS named(1M) Vulnerability
I-063: RSI BSDI rlogind Vulnerability
I-064: SGI IRIX mail(1), rmail(1M), sendmail(1M) Vulnerabilities
I-065: SunOS ufsrestore Buller Overflow Vulnerability
I-066: Vulnerability in Some Implementations of PKCS#1
I-067: AutoStart 9805 Macintosh Worm Virus
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNaUyV7nzJzdsy3QZAQGgqAP+NXL+oMKXYGH+F9ryLDk1sG0pSB9GJXcP
BTJQpXLsY7yCFugaBTWmIMSbSSO+MW99BRO/fmDAseugjIE+P9G04TU6ddlon+4M
8vpczL9Bbfz2bE4WkYUFilb0gl6IJ88EDOmmr112AqKQc22cIk5aj7yy2kNLiRCc
LM14eR8XSl8=
=gcxE
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
