Hackers Handbook - Millenium Edition

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Handbook - Millenium Edition / Hackers Handbook.iso / library / hack99 / ms-personal-webserver-path.txt < prev next >

Wrap

Text File | 1999-03-24 | 11.8 KB | 422 lines

Personal web server kiborg (contact@kiborg.net) Wed, 17 Jan 1996 22:30:13 +0200 Hello, Sorry if this has already been known. But i didn't find something of the sort. While playing with Microsoft Personal Web Server (Frontpage-PWS32/3.0.2.926). I found that the following URL will list the root directory and be able to download any file you want. http://www.victim.com/....../ Index of /....../ WINDOWS My Documents Program Files FrontPage Webs AUTOEXEC.BAT COMMAND.COM and so on....... ----- contact@kiborg.net Tavo laiskai, Lietaus lasai, http://www.kiborg.net Papasakos man tiek daug pa pa-rara ! --------------------------------------------------------------------------- Re: Personal web server Sean Coates (sean@SPATULA.ML.ORG) Mon, 18 Jan 1999 14:12:32 -0400 kiborg wrote: > Hello, > > Sorry if this has already been known. But i didn't find something of the > sort. > While playing with Microsoft Personal Web Server > (Frontpage-PWS32/3.0.2.926). > I found that the following URL will list the root directory and be able to > download any file you want. > http://www.victim.com/....../ > That seems to be fixed in the windows98 version of PWS (http://24.231.6.49/....../ returns server error 161) Sean Coates scoates@usa.net sean@spatula.ml.org --------------------------------------------------------------------------- Date: Tue, 19 Jan 1999 10:21:24 -0800 From: Aleph One <aleph1@UNDERGROUND.ORG> To: BUGTRAQ@netspace.org Subject: Re: Personal web server Here are some feedback from people. Results vary wildly. No: Windows NT 4.0 SP3 ("kiborg" <contact@kiborg.net>) Windows NT 4.0 SP4 (Russ) Windows NT 4.0 SP4 PWS 4.02.0622 Windows 2000 beta 2 ("John Sweeney" <quantium@mediaone.net>) Windows 98 (Sean Coates scoates@usa.ne) Yes: Windows 95 ("kiborg" <contact@kiborg.net>) Windows 98 ("kiborg" <contact@kiborg.net>) Windows 98 + fixes & patches ("David Schwartz" <davids@webmaster.com>) Someone mentioned this may be the fault of FrontPage. It asks you to install PWS when you install FP. It may be possible that FP is configuring PWS in such a way to leave it open. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --------------------------------------------------------------------------- Date: Thu, 18 Jan 1996 23:44:37 +0200 From: kiborg <contact@kiborg.net> To: BUGTRAQ@netspace.org Subject: Re: Personal web server >An attempt to do this on a Windows NT 4.0 WS (with SP4) failed with a >404 error as expected. Yes on NT 4.0(SP3) i get the same. 404 Not Found The requested URL /....../ was not found on this server. >Maybe Kiborg can tell us on what platform this was successfully >performed on together with what, if any, security was configured on said >box. I did check on : Win95 worked. Win98 worked. and on NT 4.0 (SP3) failed with 404 error. > >Obviously /....../ shouldn't match to any directory by any convention >I'm aware of, so its clearly some sort of problem. To determine, >however, the extent of the risks for Win9x users of PWS we should know >how the site was being secured, configured, and accessed. Well i discovered what http://127.0.0.1/..../ or http://127.0.0.1/........./ (must be more than 3 dots /..../) will show the root directory. ----- contact@kiborg.net Tavo laiskai, lietaus lasai http://www.kiborg.net papasakos man tiek daug pa pa-rara ! --------------------------------------------------------------------------- Date: Tue, 19 Jan 1999 13:51:48 -0800 From: Michael Howard <mikehow@MICROSOFT.COM> To: BUGTRAQ@netspace.org Subject: Re: Personal web server the frontpage team are looking at it now - as sean noted, the iis codebase in pws does not have this issue. i'll fwd more info to this alias as soon as i get more info from the fp team. Cheers, MH IIS Security --------------------------------------------------------------------------- Date: Tue, 19 Jan 1999 15:13:51 MST From: Fredrick Moore <fdmore@USA.NET> To: BUGTRAQ@netspace.org Subject: Re: Personal Web Server >From: Ilya Varlashkin <ilya@ripn.net> >GET /....../ ><HEAD><TITLE>404 Not Found</TITLE></HEAD> ><BODY><H1>404 Not Found</H1> >The requested URL /....../ was not found on this server.<P> ></BODY> >Connection closed by foreign host. Kiborg <contact@kiborg.net> was rite, it works. My testings. Server: FrontPage-PWS32/3.0.2.926 OS: Win95 During installation process i installed only PWS without any other components. Let's test http://127.0.0.1/....../ Index of /....../ (worked) I removed PWS, and installed Typical setup (including: FrontPage client software, personal web server, FrontPage extensions) Let's test. http://127.0.0.1/....../ 404 Not Found The requested URL /....../ was not found on this server. (failed) Ok let's run command.com C:\windows\other\dirs\>cd \......\ C:\> Maybe this is the problem? Does this work with Win98?? >So it seems something is wrong with your PWS settings Maybe, but i installed freshly without changing anything. Anyway i think microsoft must check this out. --------------------------------------------------------------------------- Date: Tue, 19 Jan 1999 18:37:55 -0400 From: Sean Coates <sean@SPATULA.ML.ORG> To: BUGTRAQ@netspace.org Subject: Re: Personal web server Michael Howard wrote: > the frontpage team are looking at it now - as sean noted, the iis codebase > in pws does not have this issue. i'll fwd more info to this alias as soon as > i get more info from the fp team. > > Cheers, MH > IIS Security > It seems that servers which are branded "IIS" _DO_ have the problem, and servers branded with "PWS" do NOT have the problem. For instance, the server at 24.231.6.49 returns a server version of "Microsoft-PWS-95/2.0" yet the server at 24.231.6.205 returns "Microsoft-IIS/4.0" and the server at 24.231.6.2(www.ebci.ca) returns "Microsoft-IIS/4.0 Beta 3". the *.49 server is not vulnerable, and neither is the *.2 server, but the *.205 server IS vulnerable (I told the admin of this machine about the problem, so it may be fixed by the time this reaches bugtraq.) By talking to the admin of each server, I've concluded that the *.49 server is a downloaded version of PWS, running on windows98, the *.205 server is PWS from the windows98 CD (OEM, as far as I know), running on Win98, and the *.2 server is actually IIS, running on Windows NT Server 4. Sorry about the confusion of my earlier post, hope this clears it up. My luck, it'll probably just make it worse. (-; Sean Coates sean@spatula.ml.org scoates@usa.net --------------------------------------------------------------------------- Date: Wed, 20 Jan 1999 11:57:19 +0300 From: Victor Lavrenko <lavrenko@MCST.RU> To: BUGTRAQ@netspace.org Subject: Bug in IIS and PWS but only for Windows 9x. Re: Personal web server >>>>> "Aleph" == Aleph One <aleph1@UNDERGROUND.ORG> writes: Hello everybody. This bug exists because Windows 9x has a nice feature. When you excecute "cd .." it goes to the parent directory, and "cd ..." goes to the parent directory of parent directory etc. Windows NT has no such feature so it isn't exploitable. IIS 4.0 and PWS 3.0 exploitable while executed under Windows 9x only, not Windows NT. Aleph> No: Aleph> Windows NT 4.0 SP3 ("kiborg" <contact@kiborg.net>) Windows [skip] Aleph> Windows 98 (Sean Coates scoates@usa.ne) Sean checked box with PWS 2.0. Due to another bug in its core, it seems that is not exploitable. PWS 3.0 doesn't have such bug so it is exploitable. Aleph> Yes: Aleph> Windows 95 ("kiborg" <contact@kiborg.net>) Windows 98 [skip] Aleph> it open. PWS and IIS (they have the same core) check for ".." in URL, but don't check for "...", "...." etc. Summary: 1. IIS 4.0 and PWS 3.0 exploitable under Windows 9x. 2. IIS (any version) and PWS (any version) not exploitable under Windows NT. 3. PWS 2.0 and (possibly) IIS 3.0 not exploitable under Windows 9x. -- Victor Lavrenko Homepage: http://www.lavrenko.pp.ru/ E-mail: lavrenko@mcst.ru lavrenko@cs.msu.su Fingerprint: 35 D0 98 8D 96 E5 F4 BA 59 FB 9D 29 92 26 F5 59 --------------------------------------------------------------------------- Date: Wed, 20 Jan 1999 16:59:48 -0800 From: Aleph One <aleph1@UNDERGROUND.ORG> To: BUGTRAQ@netspace.org Subject: Re: Personal web server Here is a summary of the problem so far. Windows 95/98 treat "...." as "..\.." and "......" as "..\..\..". Personal Web Server does not check for these "aliases" and allows the request. This can be used to access files and directories above the virtual web root. Disabling directory browsing only does what it says, disables directory browsing. If an attcker can guess a path and name of a file, and it is in the same drive as the web server, he can retrieve the file. The problem only affects FrontPage Personal Web Server. This is the version shipped with FrontPage. The version not affected is the Microsoft Personal Web Server. I tought we've seen the last of these Windows file aliases vulnerabilities. Guess I was wrong. Incredible the amount of cruft the Windows file name parser will take. Wonder what other wonderful aliases are waiting to be discovered. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --------------------------------------------------------------------------- Date: Thu, 21 Jan 1999 12:03:57 -0800 From: Aleph One <aleph1@UNDERGROUND.ORG> To: BUGTRAQ@netspace.org Subject: Re: Personal web server Thanks to Xiaoyong Wu <xiaoyong_wu@yahoo.com> for pointing out more Windows weirdness. Under Windows NT 4.0 SP3: C:\> cd TEMP C:\TEMP> cd ... C:\TEMP> cd .... C:\TEMP> cd ..... C:\TEMP> [ It seems NT interprets N+3 dots as '.' ] C:\TEMP> cd ..\ C:\> [ It seems NT interprets '..\' as '..'. Makes sense as '\' is directory delimiter character for paths. ] C:\TEMP> cd ...\ C:\> C:\> cd TEMP C:\TEMP> cd ...\WINNT C:\WINNT> [ Whoa. Now NT interprets '...\' as '..'. Bad. Real bad. ] C:\TEMP> mkdir TEST C:\TEMP> cd TEST C:\TEMP\TEST> cd ...\ The system cannot find the path specified. [ Hmm. But it doesn't work in directories more that one deep. ] C:\TEMP> cd ..\...\ C:\> [ That figures. ] C:\TEMP\TEST> cd ..\... C:\TEMP> cd ....\ C:\TEMP> [ Hmm. Now NT interprets '....\' as '..'. Weird. But wait it gets stranger. ] C:\> cd TEMP C:\TEMP> cd ....\ C:\TEMP> cd ....\ C:\> [ Huh? The first '....\' as interpreted as '.' and the second as '..'. But... ] C:\> cd TEMP C:\TEMP> cd TEST C:\TEMP\TEST> cd ....\ C:\TEMP\TEST> cd ....\ The system cannot find the path specified. C:\TEMP\TEST> cd .. C:\TEMP\TEST> cd .. C:\TEMP> [ Now in a directory two levels deep the first '....\' is interpreted as '..' while the second one gives an error. The first '..' is interpreted as '.' while the second one works as normal. ] C:\TEMP> cd ....\ C:\TEMP> cd TEST The system cannot find the path specified. C:\TEMP> cd . C:\TEMP> cd TEST C:\TEMP\TEST> [ It seems that '....\' also breaks trying to cd to subdirectories. ] The '....\' problems seems to appear for any such string with N+4 dots followed by a slash. I can only guess on the many other ways they may try to interpret pathnames. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --------------------------------------------------------------------------- Date: Fri, 22 Jan 1999 18:46:53 -0000 From: Ian O'Friel <genius@GLASGOW.CROSSWINDS.NET> To: BUGTRAQ@netspace.org Subject: Re: Personal Web Server I'm not sure if this point has been raised before now, but with the recent issues containing about /....../ and so on, Shares are accessible via personal Web Server. For Example, I tried sharing my WinZip Directory as 'Test' and strangely enough http://127.0.0.1/Test/ brought up the WinZip Directory. Does anyone know of problems caused by this ? Ian O'Friel