From xforce@ISS.NET Mon Aug 31 19:50:12 1998
From: X-Force <xforce@ISS.NET>
To: BUGTRAQ@netspace.org
Date: Mon, 31 Aug 1998 16:48:16 -0400
Subject: ISS Security Advisory: Executable Directories in IIS 4.0

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
August 31, 1998

Executable Directories in IIS 4.0

Synopsis:

If a non-administrative user can place executable code into a web site
directory which allows file execution, the user may be able to run
applications which could compromise the web server.

Recommended Action:

Administrators should verify access permissions on all virtual HTTP server
directories that are marked executable.  See below for recommended
permissions.

All security patches that protect against local attacks should be applied
to HTTP servers due to the possibility of the server executing code
locally. See http://www.microsoft.com/security for details.

Description:

The following directories are marked executable by default on an install of
IIS 4.0:

/W3SVC/1/ROOT/msadc
/W3SVC/1/ROOT/News
/W3SVC/1/ROOT/Mail
/W3SVC/1/ROOT/cgi-bin
/W3SVC/1/ROOT/SCRIPTS
/W3SVC/1/ROOT/IISADMPWD
/W3SVC/1/ROOT/_vti_bin
/W3SVC/1/ROOT/_vti_bin/_vti_adm
/W3SVC/1/ROOT/_vti_bin/_vti_aut

In a default install, the physical drive mappings will be:

msadc           c:\program files\common\system\msadc
News            c:\InetPub\News
Mail            c:\InetPub\Mail
cgi-bin         c:\InetPub\wwwroot\cgi-bin
SCRIPTS c:\InetPub\scripts
IISADMPWD       C:\WINNT\System32\inetsrv\iisadmpwd
_vti_bin                Not present by default - installed with FrontPage extensions

Access to the physical directories can be obtained through drive sharing,
remote command shells (e.g., rcmd, telnet, remote.exe), HTTP PUT commands,
or FrontPage.  None of these methods are available in a default install,
but are often added by administrators.  The default NTFS permissions are
overly permissive, and allow change control (RWXD) to the Everyone group by
default, with the exception of msadc which is full control to Everyone.
Due to the sensitive nature of these directories, it is recommended that
NTFS access permissions should be:

Administrators, LocalSystem: Full Control
Everyone: Special Access(X)

Administrators should closely examine all pathways to access the
filesystem, and be aware of all web directories that allow file execution.
In addition, if a user is allowed to administer their own site, they may
have permission to set a directory to executable. A system administrator
should permit only allowed file types to be copied onto a production web
site.

In addition, ISS highly recommends the security settings detailed in
Chapter 8 of the IIS Resource Kit (Microsoft Press).  We would like to
thank Michael Howard and Jason Garms of Microsoft for their input.

- --------

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.

X-Force PGP Key available at:   http://www.iss.net/xforce/sensitive.html as
well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNeryDDRfJiV99eG9AQGYRwP7BCn4cv/LRCNEY+mjGtTqBLrzX/HSzyy/
HvmnlwadiYbdp3bHY7TyM0XaqaRY3uIr9RIixaqSPsYLwBZ9pjRhIP+EecpF9oPc
mlzJC0DL5f+L/uiL08+DtcRfZQImyNRNkQvTNSzxO4DflwxndEmHizgA6lf49QhX
kT+3kigGCAE=
=vxrQ
-----END PGP SIGNATURE-----