---------------------------------------------------------------------------



Section 04



Fun with Other Web Servers



---------------------------------------------------------------------------



04-1. What are some known vulnerabilities with Microsoft Internet

      Information Server?



There are a few, and they are deadly. If a site is running Microsoft 

Internet Information Server v1.0, the default installation leaves the

server wide open. The example hack illustrated here assumes that the CGI

directory is /scripts, there are no files called pfieffer.bat or

pfieffer.cmd in the scripts directory, and the web server links .bat and

.cmd files to cmd.exe. Just point your browser this way:



    http://www.target.com/scripts/pfieffer.bat?&dir+c:\+?&time



                                or



    http://www.target.com/scripts/pfieffer.cmd?&dir+c:\+?&time



Your browser will ask you to save a document. Start the save, and then 

click the cancel button to stop the download. The "time" command on the 

never terminates anyway, so the execution process was never completed. The

server treats this as if you made a request and just cancelled, so the

entire transaction isn't logged. There will be some info in some of the

security logs, but no indication as to the machine the attack came from.



You can also execute a batch file by:



    http://www.target.com/scripts/pfieffer.bat?&1STLINE+?&...+?&time



Just expand ... into a series of commands, make the last one the time

command, and you can execute a batch file remotely with no logging of

who you are. Remember, cancel the download, since the time command will

never finish. I leave the commands you send to your own discretion ;-)



This works only if the registry key HKEY_LOCAL_MACHINE\SYSTEM

\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap contains



    .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s



If this isn't present then the above hacks will not work, and the attempt

will be logged. However it IS present after initial installation.



Note: that was Microsoft Internet Information Server v1.0. Microsoft

attempted to patch this problem. And according to the WWW Security FAQ

the problem is solved. This is not the case as of June 1, 1996! If the 

server was downloaded after March 5, 1996 or has the .bat/.cmd patch 

installed, you can still do a bit of intruding. Let's say test.bat 

exists in /scripts:



    @echo off

    echo Content-type: text/plain

    echo.

    echo Hello World!



Now try this URL:



    http://www.target.com/scripts/test.bat+%26dir+%26time+%26pfieffer.exe



The test.bat file must be present in /scripts for this to work, but it 

does work the same way as the previous methods (cancel the save, etc).



Another problem for IIS versions earlier than 1.0c is that the server

is not chrooted. Simply a series of ".." and "../" can lead you to

retrieve any file off of the box.



A denial of service vulnerability exists using NT v4, SP1, and IIS v2.0.

Here's how to do it -



    - telnet nt.thegnome.com 80 (assuming port 80 for httpd)

    - GET ../..



Your fix? Reboot the server. Hopefully for you admins IIS 3.0 will

address this concern.



---------------------------------------------------------------------------



04-2. What are some known vulnerabilities with Netscape's NT Server?



There are a couple.



Netscape does not use the File Manager's extension association, so you

cannot use the first .bat/.cmd attack from 04-1 on an NT server running 

Netscape. But you can try and execute a variation on the second attack.

Assuming /cgi-bin is where the scripts are:



    http://www.target.com/cgi-bin/test.bat?&dir



This executes test.bat and then gives you a directory listing.



The second one lies in the fact that until recently a Netscape tech note

recommended putting PERL.EXE in the /cgi-bin directory. This would allow

the site to call perl scripts from within /cgi-bin (remember, Netscape 

doesn't use the File Manager's extension association), but also allows you

to send perl commands directly to the server. My favorite example in the

WWW Security FAQ is:



    http://www.target.com/cgi-bin/perl.exe?&-e+unlink+%3C*%3E



It erases all files in the current directory. Nasty. 



---------------------------------------------------------------------------



04-3. What about WebSite and Purveyor?



WebSite 1.1b and earlier suffers from the same problems as Netscape does

with DOS .bat files. Version 1.1c fixes this problem. WebSite 1.1e had a

problem with quoting commands and passing them to a sample CMD file that

took advantage of a buffer overflow condition. This was fixed in later

releases.



Purveyor Server for NT doesn't seem to have any of these problems.



---------------------------------------------------------------------------

04-4. Is Novell's IntranetWare web server software vulnerable?



Novell's Web Server had a HUGE bug. The CGI scripts are Basic programs (yes

you are about to hack a server using Basic!) and several are included with

the server. One in particular, CONVERT.BAS, takes a file and converts it to

HTML and then sends it to the user. Here's an example for www.target.com:



    http://www.target.com/scripts/convert.bas?readme.txt



The README.TXT file is returned as HTML. Now here's the bug:



    http://www.target.com/scripts/convert.bas?../../any_file_on_sys_volume



This is supposedly corrected in the version that ships with Netware 4.11,

but a number of sites, including Novell's office in Japan, still have the

bug and you can still access any file on volume SYS as a text file.



---------------------------------------------------------------------------



04-5. What about WebSTAR for the Mac?



Try adding /M_A_C_H_T_T_P_V_E_R_S_I_O_N to any URL on a WebSTAR server

and it will give you info like this:



WebSTAR, Copyright =A91995 Chuck Shotton,

Portions =A91995 StarNine Technologies, Inc. and its Licensors. All rights

reserved.

PowerPC (CW) version



totalCon 343, maxCon 30, listening 29, current 1, high 8, busy 0, denied 0,

timeout 0, maxMem

1140640, currMem 1117024, minMem 1090208, bytesSent 1218888, port 80,

maxTimeout 300,

verboseMessages false, disableLogging false, hideWindow false,

refuseConnections false, upSince

07/11/96:10:48, version 1.2.5(PowerPC (CW))



The latest version should have this fixed. While it doesn't seem very

interesting, the connection to get this is not logged, which allows

psychotics to use it as a denial-of-service attack.



Why is it even there? It has been speculated that the author had intended

to "check out" and see how busy his code was once it was installed.



---------------------------------------------------------------------------



04-6. Does CERN's httpd have any vulnerabilities?



CERN does access restriction using either IP addresses or hostnames. The

pattern for both is value.value.value.value, that is 205.42.*.* or

*.spy.spook.gov. Since they use some of the same code in their checking,

under certain conditions a hole opens. You could spoof or supply a 

hostname that matches the IP address mask and allows access.



If the CERN httpd server is a proxy on a gateway machine and you use IP 

address masks to limit access to the proxy, an attacker could use the 

proxied service to access internal machines. Since you are allowing port 

80 traffic in, your firewall becomes useless.



Admins, a patch should be at from http://softway.com.au/misc/cern.html,

and hackers, this is the only proxy I am aware of that does this. It 

certainly seems possible that other proxy software (and not just web

services) might be impacted.



---------------------------------------------------------------------------



04-7. What is the iCat Carbo Server bug?



iCat Carbo Server is a program used to develop interactive shopping catalogs

for the web. Version 3.0.0 has a bug that allows you to look at any file on

the server.



Try this type of url:



http://host/carbo.dll?icatcommand=..\..\winnt\creditcards&catalogname=catalog



You get the idea.



---------------------------------------------------------------------------

