SAN MATEO (06/05/2000) - The security community often likes to think in terms of black and white. When someone posts an advisory recounting a security vulnerability, everybody goes out and fixes it, and then goes back to business.
Of course, reality is rather grayer. Take, for example, the recent announcement of a handful of semirelated vulnerabilities in Microsoft Corp.'s Internet Information Server (IIS) that looked fairly straightforward. Peering between the lines, however, makes for more interesting reading.
The timing of these vulnerabilities helped trip us up. On January 26, an advisory was posted to the Cerberus Information Systems Advisories page, at www.cerberus-infosec.co.uk/advisories.shtml. The advisory described the transmission of a malformed URL to an IIS server that -- if the URL was padded with 250 spaces -- would trick a built-in ISAPI (Internet Serve API) DLL called webhits into serving up any file on the Web root partition. (Yes, the entire partition, not just files under Web root.)Because webhits is a component of Microsoft Index Server, this was hailed in the media as the first major exploit of Windows 2000 (which has Index Server built in and hit the market right around the time of the advisory). No one seemed to notice that Index Server had been around since Option Pack 1, but it was a pretty ugly vulnerability nevertheless, so no one complained.
About a month later, Microsoft announced a fix for this problem in the first of a series of responses to webhits issues. OK, problem solved, right?
On March 30, Cerberus released the advisory Strike Three, and stated that it had found another problem with webhits. But don't get lost yet -- between the previous advisory and this one, Cerberus released several others.
The Strike Three post demonstrated another variation on webhits that didn't require counting out 250 spaces to make it work; this required only one space, embedded precisely within a request for a nonexistent .htw file on the server.
This variant worked on IIS 4 servers that had received the first fix.
The interesting part here is that as we read the Cerberus advisory, we found no mention of the capability to read any file type on the Web root partition, which we learned from our testing is indeed possible with this exploit. The advisory mentions only that you can read the text of the source code of ASP (Active Server Pages) and ASA (Active Server Application) files. Microsoft acknowledged this capability of reading any file in its updated bulletin with the new patch for webhits (see www.microsoft.com/technet/security/bulletin/ms00-006.asp).
The severity of this vulnerability was also probably further downplayed by the fact that it allowed only read access to files, not the coup-de-grace capability of executing arbitrary commands such as the old iishack and mdac/rds issues. We know this for a fact, because IT shops run by our colleagues who diligently patched their systems with Service Pack 6a glossed right over these fixes -- until someone showed them that read access is pretty bad, too.
It turns out that cleartext passwords are often contained within files on publicly accessible Web servers. Yes, we know what you're thinking -- use webhits to dump \winnt\repair\sam._ and grab the keys to the kingdom. However, our testing indicated that access to sam._ is denied by standard Windows NTFS (NT File System) permissions even for this attack (although Microsoft's bulletin states files can be read "regardless of permissions"). If you're running your Web server on FAT (the file allocation table, which proceeded NTFS), well, good luck -- we didn't test what happens in that case. There are so many other security-related problems that arise from running IIS on FAT that you should have your knuckles rapped anyway. Smart shops also put the Web root on different logical drives, so that shenanigans such as this can't jump partitions to get at system files.
Of course, the sophisticated hacker knows that the application layer is becoming the biggest door to walk through nowadays, not lower-level network or operating system holes that almost everyone has patched by now. Cerberus' post wisely points out that files such as global.asa (right there under Web root, usually) can contain just as many keys to the kingdom. And don't forget good ol' ASP scripts for a source of passwords and business logic. We've seen such goodies as SQL system administrator passwords, mailbot account passwords, site administration passwords, and a host of others in real-world ASP and ASA files.
Cerberus has posted good information in their advisories on unmapping HTW files from webhits.dll, and Microsoft has released a patch. In the meantime, keep your eyes on the Cerberus advisories page, and try its free Internet Scanner with an updatable signatures DLL. It will tell you in a few seconds if any of these problems exist on your site. Are you keeping dirty laundry in exposed Active Server files? Let us know at firstname.lastname@example.org.
Stuart McClure is president/CTO and Joel Scambray is a managing principal at security consultant Foundstone (www.foundstone.com). Their best-selling book, Hacking Exposed, has sold more than 100,000 copies in six months.