L0pht Security Advisory ------------- URL Origin: http://www.l0pht.com/advisories.html Release Date: May 7th, 1999 Application: Microsoft IIS 4.0 Web Server Severity: Web users can view ASP source code and other sensitive files on the web server Author: weld@l0pht.com Operating Sys: Microsoft NT Server 4.0 -------------- I. Description Internet Information Server (IIS) 4.0 ships with a set of sample files to help web developers learn about Active Server Pages (ASP). One of these sample files, showcode.asp, is designed to view the source code of the sample applications via a web browser. The showcode.asp file does inadequate security checking and allows anyone with a web browser to view the contents of any text file on the web server. This includes files that are outside of the document root of the web server. Many ecommerce web servers store transaction logs and other customer information such as credit card numbers, shipping addresses, and purchase information in text files on the web server. This is the type of data that could be accessed with this vulnerability. The L0pht would like to thank Parcens for doing the initial research on this problem. II. Details The showcode.asp file is installed by default at the URL: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp It takes 1 argument in the URL, which is the file to view. The format of this argument is: source=/path/filename So to view the contents of the showcode.asp file itself the URL would be: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp This looks like a fairly dangerous sample file. It can view the contents of files on the system. The author of the ASP file added a security check to only allow the viewing of the sample files which were in the '/msadc' directory on the system. The problem is the security check does not test for the '..' characters within the URL. The only checking done is if the URL contains the string '/msadc/'. This allows URLs to be created that view, not only files outside of the samples directory, but files anywhere on the entire file system that the web server's document root is on. For example, a URL that will view the contents of the boot.ini file, which is in the root directory of an NT system is: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini This URL requires that IIS 4.0 was installed in its default location. III. Solution For production servers, sample files should never be installed so delete the entire /msadc/samples directory. If you must have the showcode.asp capability on development servers the showcode.asp file should be modified to test for URLs with '..' in them and deny those requests. For specific questions about this advisory, please contact weld@l0pht.com --------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html --------------- ------------------------------------------------------------------------------- Date: Fri, 7 May 1999 11:39:41 -0700 From: Michael Howard To: BUGTRAQ@netspace.org Subject: Re: L0pht Advisory: NT IIS 4.0 - showcode file viewing vulnerability fyi there's a couple of kb's on this kind of thing Q184717 - AspEnableParentPaths MetaBase Property Should Be Set To False as well as one on removing samples. also note, that the exair sample (which is NOT installed by default) also has showcode functionality. Cheers, MH IIS Security PM ------------------------------------------------------------------------------- Date: Fri, 7 May 1999 18:19:11 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Exploit of Examples - Part 2 As some of you may have noticed, Weld Pond of the l0pht submitted a message to Bugtraq earlier today regarding an exploit in an IIS 4.0 sample file called showcode.asp. Shortly thereafter, WebTrends Corporation, through their "SecureTrends Security Advisory" mechanism, released 3 exploits of example code, 2 in IIS 4.0 and 1 in Site Server 3.0. WebTrends were also reporting the showcode.asp exploit, as well as an exploit in codebrws.asp (both from IIS 4.0). They also reported an exploit in viewcode.asp (from Site Server 3.0 Commerce Edition). According to Microsoft, WebTrends had reported this to them back on 4/27. All 3 reports result in the same vulnerability, the ability to do "../" up the directory tree and read files. As I said back in January; http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9901&L=NTBU GTRAQ&D=0&P=6155&F=P the actual vulnerability here is in the fact that samples were installed and left on the box. Both WebTrends and Microsoft indicated that they had seen far more IIS and Site Server sites that were both accessible, and still had sample files on them, than expected. Microsoft will be releasing information in their Security Bulletin MS99-013 later today indicating better ACL settings and the like to make these samples less of a risk. In the meantime, if you have any of these files on your exposed machines, remove them (at least temporarily), or restrict access to them. Sample code that is not intended to be secure, may be exploitable. If we stand for "security advisories" about exploits in sample files, we are simply saying we do not want Vendors to provide us with sample files any more. I, for one, do not want this. Vendors will never accept the liability of telling you that "this is a secure implementation". This is up to you, and your security policy, not the Vendor. So if a particular sample can be exploited, it may well be because it was not intended to be secure in a production environment (i.e. accessible with modification >from default installation). Anyone thinking to use such files as part of a product system will, its assumed, have gone over all of the potential security vulnerabilities, including file permissions and such for the sample files. If that's done, then these samples are no more insecure than any other code. WebTrends Press Release: http://www.webtrends.com/news/releases/release.asp?id=81 l0pht Press Release: http://www.l0pht.com/advisories/showcode.txt Cheers, Russ - NTBugtraq moderator ------------------------------------------------------------------------------- Date: Fri, 7 May 1999 21:58:18 -0700 From: aleph1@UNDERGROUND.ORG To: BUGTRAQ@netspace.org Subject: Microsoft Security Bulletin (MS99-013) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-013) -------------------------------------- Solution Available for File Viewers Vulnerability Originally Posted: May 7, 1999 Summary ======= Microsoft has identified a vulnerability that occurs in some file viewers that ship as part of Microsoft (r) Internet Information Server and Site Server. The vulnerability could allow a web site visitor to view, but not to change, files on the server, provided that they knew or guessed the name of each file and had access rights to it based on Windows NT ACLs. Microsoft is releasing this security bulletin to inform customers of the vulnerability and enable them to eliminate it immediately. Patches are being developed for the affected file viewers, and will be available shortly. When they are available, an update to this security bulletin will be released. Issue ===== Microsoft Site Server and Internet Information Server include tools that allow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a web site visitor can view. It is important to note several important points: - These file viewers are not installed by default under IIS. They are only installed under IIS if the user chooses to install the sample web files. - This vulnerability only allows a web site visitor to view files. There is no capability through this vulnerability to change files or add files to the server. - This vulnerability does not in any way bypass the Windows NT file permission ACLs. A web site visitor could only use these tools to view files whose ACLs allows them read access. The administrator of the web server determines the specific permissions for all files on the server. - The viewers can only be used to view files on the same disk partition as the currently-displayed web page. Databases such as those used by e-commerce servers are typically stored on a different physical drive, and these would not be at risk - The web site visitor would need to know or guess the name of each file they wished to view. Specific steps that customers can take to immediately eliminate the vulnerability are discussed below in What Customers Should Do. In addition, Microsoft is developing updated versions of the file viewers and will release them shortly. While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it. Affected Software Versions ========================== - Microsoft Site Server 3.0, which is included with Microsoft Site Server 3.0 Commerce Edition, Microsoft Commercial Internet System 2.0, and Microsoft BackOffice Server 4.0 and 4.5 - Microsoft Internet Information Server 4.0 What Microsoft is Doing ======================= Microsoft has provided this bulletin to inform customers of specific steps that they can take to immediately eliminate this vulnerability on their servers. Microsoft is developing updated file viewers that fix the problem identified, and will release an updated version of this bulletin when they are available. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q231368, Solution Available for File Viewers Vulnerability, http://support.microsoft.com/support/kb/articles/q231/3/68.asp. (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Customers should take the following steps to eliminate the vulnerability on their web servers: - Unless the affected file viewers are specifically required on the web site, they should be removed. The following file viewers are affected: ViewCode.asp, ShowCode.asp, CodeBrws.asp and Winmsdp.exe. Depending on the specific installation, not all of these files may be present on a server. Likewise, there may be multiple copies of some files, so customers should do a full search of their servers to locate all copies. - In accordance with standard security guidelines, file permissions should always be set to enable web visitors to access only the files they need, and no others. Moreover, files that are needed by web visitors should provide the least privilege needed; for example, files that web visitors need to be able to read but not write should be set to read-only. - As a general rule, sample files and vroots should always be deleted from a web server prior to putting it into production. If they are needed, file access permissions should be used to regulate access to them as appropriate More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-013, Solution Available for File Viewers Vulnerability (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-013.asp. - Microsoft Knowledge Base (KB) article Q231368, Solution Available for File Viewers Vulnerability, http://support.microsoft.com/support/kb/articles/q231/3/68.asp. Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges WebTrends (www.webtrends.com) for discovering this vulnerability and reporting it to us. Revisions ========= - May 07, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security -------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. ------------------------------------------------------------------------------- Date: Sat, 8 May 1999 09:40:40 -0700 From: David LeBlanc To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Exploit of Examples - Part 2 At 06:19 PM 5/7/99 -0400, Russ wrote: >All 3 reports result in the same vulnerability, the ability to do "../" >up the directory tree and read files. > >As I said back in January; > >http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9901&L=NTBU >GTRAQ&D=0&P=6155&F=P > >the actual vulnerability here is in the fact that samples were installed >and left on the box. Both WebTrends and Microsoft indicated that they >had seen far more IIS and Site Server sites that were both accessible, >and still had sample files on them, than expected. As Michael Howard pointed out on BUGTRAQ, one of the other issues common to each of these is accessing paths below the current directory. There is a KB article on this - "Q184717 - AspEnableParentPaths MetaBase Property Should Be Set To False". Another known issue along these lines is indexing your source pages. It is usually best to place everything you're going to index in a specfic directory or tree. I'd also point out that chapter 8 of the IIS Resource Kit should be required reading for anyone setting up a web site. David LeBlanc dleblanc@mindspring.com ------------------------------------------------------------------------------- Date: Mon, 10 May 1999 15:09:43 -0700 From: Aleph One To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Exploit of Examples - Part 2 On Sat, May 08, 1999 at 09:40:40AM -0700, David LeBlanc wrote: > > As Michael Howard pointed out on BUGTRAQ, one of the other issues common to > each of these is accessing paths below the current directory. There is a > KB article on this - "Q184717 - AspEnableParentPaths MetaBase Property > Should Be Set To False". What Michael could not awnser is whether AspEnableParentPaths only stops pathnames that start with ".." or also works with pathnames where ".." is embedded somewhere else than at the begining (like the last exploit). > > Another known issue along these lines is indexing your source pages. It is > usually best to place everything you're going to index in a specfic > directory or tree. I'd also point out that chapter 8 of the IIS Resource > Kit should be required reading for anyone setting up a web site. > > > David LeBlanc > dleblanc@mindspring.com > -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ------------------------------------------------------------------------------- Date: Wed, 19 May 1999 18:04:43 -0700 From: aleph1@UNDERGROUND.ORG To: BUGTRAQ@netspace.org Subject: Update to Microsoft Security Bulletin (MS99-013) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Update to Microsoft Security Bulletin (MS99-013) ------------------------------------------------ Patches Available for File Viewers Vulnerability Originally Posted: May 7, 1999 Updated: May 19, 1999 Summary ======= This is an update to Microsoft Security Bulletin MS99-013. The purpose of the update is to advise customers of the availability of patches that eliminate a vulnerability that occurs in some file viewers included in Microsoft (r) Internet Information Server and Site Server. The vulnerability could allow a web site visitor to view, but not to change, files on the server, provided that they knew or guessed the name of each file and had access rights to it based on Windows NT ACLs. Issue ===== Microsoft Site Server and Internet Information Server include tools that allow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a web site visitor can view. It is important to note several important points: - These file viewers are not installed by default under IIS. - The web site visitor would need to know or guess the name of each file they wished to view. - This vulnerability only allows a web site visitor to view files, not to change them or to create new ones. - The file viewers are subject to normal Windows NT file permission ACLs. A web site visitor could only use the file viewers to read files for which they have read access. - The viewers can only be used to view files on the same disk partition as the currently-displayed web page. Databases such as those used by e-commerce servers are typically stored on a different physical drive, and these would not be at risk. While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it. Affected Software Versions ========================== - Microsoft Site Server 3.0, which is included with Microsoft Site Server 3.0 Commerce Edition, Microsoft Commercial Internet System 2.0, and Microsoft BackOffice Server 4.0 and 4.5 - Microsoft Internet Information Server 4.0 What Microsoft is Doing ======================= Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q231368, Solution Available for File Viewers Vulnerability, http://support.microsoft.com/support/kb/articles/q231/3/68.asp. - Microsoft Knowledge Base (KB) article Q231656, Preventing Viewcode.asp from Viewing Known Server Files, http://support.microsoft.com/support/kb/articles/q231/6/56.asp. (Note: It might take 24 hours from the posting of the bulletin for the updates to the KB articles to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The patch can be found at: - Internet Information Server: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/ - Site Server: ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes /usa/siteserver3/hotfixes-postsp2/Viewcode-fix/ NOTE: The above URLs have been word-wrapped for readability. Microsoft has provided a checklist that customers can use to ensure that their web servers have been properly secured. This checklist is available at http://www.microsoft.com/security/products/iis/checklist.asp More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-013, Patches Available for File Viewers Vulnerability (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-013.asp. - Microsoft Knowledge Base (KB) article Q231368, Solution Available for File Viewers Vulnerability, http://support.microsoft.com/support/kb/articles/q231/3/68.asp. - Microsoft Knowledge Base (KB) article Q231656, Preventing Viewcode.asp from Viewing Known Server Files, http://support.microsoft.com/support/kb/articles/q231/6/56.asp. Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges WebTrends (www.webtrends.com) for discovering this vulnerability and reporting it to us. Revisions ========= - May 07, 1999: Bulletin Created. - May 19, 1999: Bulletin updated to provide patch information. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ----------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.