Subject WinNT based Web Servers File Access Vuln. Date 02-Feb-98
25fbd41a8ccbb3118f83540ee9df97c33dd214e6a48c8b568a3c4538d78a805b
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Nico de Koo Index : S-98-07
Distribution : World Page : 1
Classification: External Version: 1
Subject : WinNT based Web Servers File Access Vuln. Date : 02-Feb-98
===============================================================================
By courtesy of CIAC (The U.S. Department of Energy Computer Incident Advisory
Capability) we received information on a vulnerability in Windows NT based Web
Servers File Access system.
CERT-NL recommends application of the provided patches.
==============================================================================
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Windows NT based Web Servers File Access Vulnerability
January 30, 1998 21:00 GMT Number I-025A
______________________________________________________________________________
PROBLEM: Some Windows NT based web servers allow access to 8.3 format
filenames. This can allow unauthorized access to files via
their 8.3 compatible name.
PLATFORM: Microsoft Internet Information Server and Peer Web Server 4.0,
Netscape FastTrack 2.x
DAMAGE: By exploiting this vulnerability, remote users may gain
unauthorized access to files accessed by the web server.
SOLUTION: Apply the fixes listed in Section 3 of this advisory.
______________________________________________________________________________
VULNERABILITY Exploit information involving this vulnerability has been made
ASSESSMENT: publicly available.
______________________________________________________________________________
Introduction
============
Windows NT file systems support filenames of up to 255 characters. For
compatibility purposes, a short filename (the 8.3 filename) is usually
created for each file, and can be used by older applications to access
directories and files with long names. Web server file protection of
directories and files in long filename (not 8.3) formats can often allow
access to the short name (8.3) equivalent without restriction. Some
Windows NT based Web servers base their access control check for permissions
using the long filename only, and do not include the short name that may
be used as an alias. For example, if there was a file named
noteightdotthree.htm, and it was protected at the file level by the web
server (NOT the NTFS file system itself), the access of the short name
noteig~1.htm is possible. This also applies to directories. Note that NTFS
level file restrictions are always applied correctly because they are not
inherently tied to the long name, but to the name stored on disk, which the
long name references. Some web servers allow you to set access permissions
in places other than NTFS, however it is the implementation of these controls
that are causing the vulnerability.
The characteristics of this vulnerability also appear in IIS 3.0 and PWS
3.0, but only at the directory level. Using the long file name IIS or PWS
3.0 to protect an execute only directory inside a read-execute or read-only
is not recommended. Microsoft has stated that they do not consider it a
bug, but a 'bad' practice.
This vulnerability may easily affect other Windows NT based WWW servers.
CIAC recommends that you check with your vendor to ensure your WWW server
does not exhibit this characteristic.
Problem
=======
This vulnerability permits attackers to gain unauthorized access to files
on the Web server. It may be used to download the source code of
server scripts in some configurations. If exploited it can give an
intruder access to any file that the web server can access.
Prevention
==========
Microsoft IIS 4.0 and PWS 4.0
==============================
Microsoft has developed a hot-fix to correct the problem. CIAC has
verified that the hot-fix corrects the problem described above, but has
not done any regression testing. Instructions for installing it are
available from Microsoft. Microsoft recommends that you update your
Emergency Repair Disk before you apply the patch, as they have not
regression tested the hot-fix.
Microsoft's patch location:
Windows NT 4.0 (CIAC recommends that Service Pack 3 is installed first):
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/sfn-fix/
Microsoft IIS 3.0 and PWS 3.0
==============================
Although Microsoft does not consider this a bug, CIAC recommends that you
ensure directory access controls are not nested. Verify that WWW server
protections are not being used to enforce protection for execute-only
directories that reside in read-only or read-execute directories.
Netscape FastTrack 2.x
=======================
Netscape will be producing patches.
_______________________________________________________________________
Thanks to:
NtBugtraq Mailing List (NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM)
David LeBlanc <dleblanc@iss.net>
Michael Howard <mikehow@microsoft.com>
_______________________________________________________________________
==============================================================================
CERT-NL wishes to thank CIAC, the Computer Incident Advisory Capability for
bringing this information to our attention
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IezSYjBqwfc9jEQL6lQCfSeBXAHEw6KjqxMqpHtsrnWb5k8gAn1pm
uxoRqQtbKnUPxQ4lsNsMrvzR
=yj0C
-----END PGP SIGNATURE-----