-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
/*******************************************************************\
* Windows NT / 9x Long File Names Vulnerable (AGAIN) *
* *
* OS: All Win32 w/long filename support *
* Risk: high / extremely high *
* Affected Products: *
* Microsoft IIS 4.0 (w/o SP4/5?), Serv-U FTP Server, Xitami, *
* vqServer, and many more web/ftp servers *
\*******************************************************************/
- -- B A C K G R O U N D --
While testing IIS security, I was able to locate an old flaw which is
still present in many server services on Win32. The problem deals
with a compatibility issue with the old Win16/DOS file naming system
known as the 8.3 naming system.
Files using the 8.3 naming system consist of 8 characters followed by
a period (.) and a 3 character extension, thus giving a name of "8.3"
- -- S U M M A R Y --
Many product in use today are still affected heavily by this ancient
limit.
* IIS
Even though IIS is "fixed" the problem has "naturally" occurred on
one of my servers even after SP5 was installed.
Microsoft Internet Information Server 4.0 allows privileges
to be inherited from parent directories instead of requested
directory if the requested directory is a long file name.
EXAMPLE:
C:\inetpub\wwwroot\ (directory listing enabled)
C:\inetpub\wwwroot\subdirectory\ (listing _disabled_)
REQUEST http://server/subdirectory/
(denied error msg)
REQUEST http://server/subdir~1/
(listing of directory)
* SERV-U FTP (www.cat-soft.com / www.ftpserv-u.com)
Certain commands in Serv-U are not properly validated with
the access control list.
Rob Beckers ([EMAIL PROTECTED]) has been notified of the issue
* VQSERVER (http://www.vqsoft.com/)
Steve Shering (mailto:[EMAIL PROTECTED])has been notified
in advance of this release via email. This issue is very
similar to the IIS issue.
* XITAMI web server
- -- D E T A I L S --
IIS / PWS -- Although this is not a major security problem for most,
remote systems security is compromised as scripts can be
executed. File listings displayed (although security
never truly existed on the "security through obscurity"
model... *hint*hint* Microsoft....)
* Service Pack 4/5 seems to fix this, but I have had it
* occur after installing other software, so after
* installing any package make sure you re-apply a service
* pack.
IIS Privileges are inherited from parent directories.
Virtual Directories are not affected as they are VIRTUAL!
Risk: extremely high
How to reproduce:
(do not perform this live on the Internet...)
1) mkdir C:\inetpub\wwwroot\subdirectory\
2) mkdir C:\inetpub\wwwroot\subdirectory\subdirectory2\
3) set "C:\inetpub\wwwroot\subdirectory\" privileges to
listing
4) set "C:\inetpub\wwwroot\" privileges to no listing
5) request "http://localhost/subdir~1/"
(you will see a listing for "subdirectory2")
Serv-U -- Serv-U 2.5a has two known improperly checked commands.
"cwd" and "site exec" both do not check the specified
path against the access lists properly.
Risk: high
How to reproduce:
1) mkdir C:\tmphome
2) mkdir C:\tmphome\longsubdir\
3) set permissions for "C:\tmphome\" for execute
4) set permissions for "C:\tmphome\longsubdir\" _NO_
execute
5) place an exe in "C:\tmphome\longsubdir\"
6) Login to serv-u
7) run command "site exec C:\tmphome\longsu~1\exename.exe"
8) Its running.
** Rob Beckers has told me a fix is in the works.
vqServer -- This "exploit" is so similar to the IIS problem, you
can go figure it out by yourself.
Xitami -- (http://www.imatix.com/ -- [EMAIL PROTECTED])
Imatix has been notified via email.
Tested on: Xitami v2.4d2
There are probably numerous other services from other vendors
affected.
This has been a long known problem on Win32. Please read:
http://www.securityfocus.com/templates/advisory.html?id=179
"IIS 4.0 and PWS 4.0 maintain certain configuration information
about directories and files in a database called the metabase.
The metabase does not contain file permissions, but rather Web
server-specific information such as requiring SSL encryption,
proxy cache setting, and PICS ratings. Actual file and directory
permissions are enforced by NTFS and are not affected by this
problem."
Now this bulletin also states "Microsoft IIS 4.0 and PWS 4.0 with
the
appropriate patch are not vulnerable." Anyone care to post the url
for this "patch" that I haven't seen?
- -- W H A T T O D O --
Administrators:
You have 5 choices:
1) Run apache. A proven web server. :)
2) Wait for vendor patches
3) Dial 911 and tell them somebody is breaking into your site
4) unplug your computer and lock it in a sealed room
5) Don't run windows as long as it maintains 8.3 support
Developers:
Write two functions: getLongName() and getShortName()
... you figure the rest out, its not too hard. API works...
- -- O T H E R N O T E S --
Apache (Win32 port) does _NOT_ appear to be affected
Sambar WWW Server is not affected
Netscape previously fixed this problem: (from the CERT)
Enterprise Server 3.51 - not vulnerable
Enterprise Server 3.0 - A patch has been created to fix the
problem.
FastTrack Server 2.01 - A patch has been created to fix the
problem.
FastTrack Server 3.01 - A patch has been created to fix the
problem.
- -- P E R S O N A L R A N T --
Anyone can pull numbers out of their butt, and Microsoft has done it,
AGAIN!
Comparing Linux to Windows NT
Look at:
http://www.microsoft.com/ntserver/nts/exec/compares/ntlinux.asp
"680 percent better as a Web server"
"623 percent better Web server price/performance" isn't Linux/Apache
Free?
I would like to publically ask Microsoft to remove this "report" from
their site as it is very inaccurate.
Microsoft,
Any beta programs open that I can get on? :)
- --
x-empt
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
iQA/AwUBN7XYWT0JSYszj2jyEQLmSgCfRdDc/fa4dGCdPSjiXfqXQdZ2e30AoMBb
v4ycZswIIst6uqMbbjEzHNh5
=D1Ti
-----END PGP SIGNATURE-----