Exploit details for the IIS "Malformed Hit-Highlighting Argument"
vulnerability
----------------------------------------------------------------------------
----
SUMMARY
Internet Information Server 4.0 ships with an ISAPI application called
webhits that provides hit-highlighting functionality for the Index Server.
Files that have the extension .htw are dispatched by webhits.dll.
However, a vulnerability in webhits allows attackers to break out of the
web virtual root file system and gain unauthorized access to other files
on the same logical disk drive, such as customer databases, log files or
any file they know or can ascertain the path to. The same vulnerability
can be used to obtain the source of Active Server Pages or any other
server side script file that often contain User IDs and passwords as well
as other sensitive information.
This vulnerability has been fixed by Microsoft, and additional information
regarding the patch can be located in our previous article:
<http://www.securiteam.com/windowsntfocus/Microsoft_Index_Server_allows_atta
ckers_to_view_local_files__Malformed_Hit-Highlighting_Argument_.html>
Microsoft Index Server allows attackers to view local files (Malformed
Hit-Highlighting Argument).
DETAILS
Confirming the existence of this vulnerability
Go to the following URL:
http://www.example.com/nosuchfile.htw
If you receive a message stating that the format of the QUERY_STRING is
invalid, you are probably vulnerable, unless you applied the patch. (Note
that this message still appears after the patch has been applied).
Details:
This vulnerability exploits two problems:
1) Using .htw files
The hit-highlighting functionality provided by Index Server allows a web
user to have a document returned with their original search terms
highlighted on the page. The name of the document is passed to the .htw
file with the CiWebHitsFile argument. webhits.dll, the ISAPI application
that deals with the request, opens the file highlights accordingly and
returns the resulting page. Because the user has control of the
CiWebHitsFile argument passed to the .htw file they can request pretty
much anything they want. A secondary problem to this is the source of ASP
and other scripted pages can be revealed too.
Webhits.dll will follow double dots ('..') so an attacker is even able to
gain access to files outside of the web virtual root.
For example to view the web access logs for a given day the attacker would
build the following URL:
http://www.example.com/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/
../../winnt/system32/logfiles/w3svc1/ex000121.log
&CiRestriction=none&CiHiliteType=Full
Sample .htw files that are often installed and left on the system:
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/iissamples/exair/search/qfullhit.htw
/iissamples/exair/search/qsumrhit.htw
/iishelp/iis/misc/iirturnh.htw (this .htw is normally restricted to loop
back)
2) Using inetinfo.exe
To invoke the webhits.dll ISAPI application a request needs to be made to
an htw file. If there are no .htw files on your web server you might
wonder why you are still vulnerable - requesting a non-existent .htw file
will fail.
The trick is to be able to get inetinfo.exe to invoke webhits.dll but then
also get webhits.dll to access an existing file. We achieve this by
crafting a special URL.
First we need a valid resource. This must be a static file such as a .htm,
html, .txt or even a .gif or a .jpg. This will be the file opened by
webhits.dll as the template file.
Now we need to get inetinfo.exe to pass it along to webhits for dispatch
and the only way we can do this is by requesting an htw file.
http://www.example.com/default.htm.htw?CiWebHitsFile=/../../winnt/system32/l
ogfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full
This will obviously fail. There is no such file on the system. Notice
we've now invoked webhits, however, and by placing a specific number of
spaces (%20s) between the existing resource and the .htw it is then
possible to trick the web service: The buffer that holds the name of the
htw file to open is truncated, causing the .htw part to be removed and
therefore when it comes to webhits.dll attempting to open the file it
succeeds and we are then returned the contents of the file we want to
access without there actually being a real .htw file on the system.
Temporary Solution:
The .htw extension needs to be unassociated from webhits.dll. To do this,
open the Internet Server Manager (via MMC). In the left hand panel right
click the computer you wish to administer and from the menu that pops up
choose Properties.
>From the Master Properties select the WWW Service and then click Edit. The
WWW Service Master properties window should open. From here click on the
Home Directory tab and then click the Configuration button. You should be
presented with an App Mappings tab in the Application Mappings window.
Find the .htw extension and then highlight it then click on remove. If a
confirmation window pops up select 'Yes' to remove. Finally click on Apply
and select all of the child nodes this should apply to and then OK that.
Now close all of the WWW Service property windows.
Solution:
This vulnerability has been fixed by Microsoft, additional information
regarding the patch can be located in our previous article:
<http://www.securiteam.com/windowsntfocus/Microsoft_Index_Server_allows_atta
ckers_to_view_local_files__Malformed_Hit-Highlighting_Argument_.html>
Microsoft Index Server allows attackers to view local files (Malformed
Hit-Highlighting Argument).
-------
AFLHI 058009990407128029/089802---(102598//991024)
http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX ::
http://techscape.net/ - Webhosting: Dual T3 on Dual Pentium III 450Mhz
Only US$1.95/month -> CGI SSL 5MB Unlimited Traffic & Mail FP2000
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
