what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

isa-2006-013.txt

isa-2006-013.txt
Posted May 23, 2007
Authored by Jesus Olmos Gonzalez

Microsoft IIS5 suffers from NTLM and basic authentication bypass vulnerabilities.

tags | exploit, vulnerability
SHA-256 | 62deb75d4279d8e14703bd0f0c22f77345ca3d79b23d558d052acdb9ec13c878

isa-2006-013.txt

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2006-013
- Original release date: December 15, 2006
- Last revised: May 22, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================

I. VULNERABILITY
-------------------------
Microsoft IIS5 NTLM and Basic authentication bypass

II. BACKGROUND
-------------------------
Microsoft Internet Information Server Web Server can protect the
private contents with a basic or NTLM authentication.

Many web pages, intranets and extranets rely on Microsoft security.

IISv5 has a "Hit-highlighting" functionality that opens some site
object and highlights some part of it; that has had a transversal
vulnerability in the past. Now it can be used to bypass the IIS
authentication.

This is poorly documented at KnowledgeBase
http://support.microsoft.com/kb/328832, the real impact is detailed above.

III. DESCRIPTION
-------------------------
Any Internet user can access the private web directories and files of
any IISv5 web, by highlighting it with "Hit-highlighting". To use this
functionality the user has to supply the CiWebhitsfile parameter to
the null.htw object.

The null.htw object has to be accessed from a non-existant directory,
for example http://anyiisweb.com/foo/null.htw

It is possible to use null.htw or other object specified at the
CiTemplate template.

IV. PROOF OF CONCEPT
-------------------------
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.aspx&CiRestriction=b&CiHiliteType=full
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.txt&CiRestriction=b&CiHiliteType=full

V. BUSINESS IMPACT
-------------------------
The impact depends on the web contents. Attackers could gain access to
all protected documents, and ASP code.

When an attacker accesses a trusted zone, the probability to get
command execution is higher.

VI. SYSTEMS AFFECTED
-------------------------
Internet Information Services Version 5, any Service Pack.

VII. SOLUTION
-------------------------
Protect the files from the NTFS filesystem instead of relying on the
IIS protection.

Microsoft recommends not to use IISv5 and update to IISv6.

VIII. REFERENCES
-------------------------
http://support.microsoft.com/kb/328832

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com)

X. REVISION HISTORY
-------------------------
December 15, 2006: Initial release
March 19, 2007: Latest revision
March 27, 2007: First notification to the vendor.
Response: under revision.
April 11, 2007: The vendor considers little changes in their KB.
April 12, 2007: We accept it and propose add comments about the
severity of the problem. Rejected by vendor.
May 21, 2007: Published. As the publish information is
considered really not detailed.

XI. DISCLOSURE TIMELINE
-------------------------
December 15, 2006: Vulnerability acquired by
Jesus Olmos Gonzalez (Internet Security Auditors)

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close