The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
=============================================
INTERNET SECURITY AUDITORS ALERT 2006-013
- Original release date: December 15, 2006
- Last revised: May 22, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================
I. VULNERABILITY
-------------------------
Microsoft IIS5 NTLM and Basic authentication bypass
II. BACKGROUND
-------------------------
Microsoft Internet Information Server Web Server can protect the
private contents with a basic or NTLM authentication.
Many web pages, intranets and extranets rely on Microsoft security.
IISv5 has a "Hit-highlighting" functionality that opens some site
object and highlights some part of it; that has had a transversal
vulnerability in the past. Now it can be used to bypass the IIS
authentication.
This is poorly documented at KnowledgeBase
http://support.microsoft.com/kb/328832, the real impact is detailed above.
III. DESCRIPTION
-------------------------
Any Internet user can access the private web directories and files of
any IISv5 web, by highlighting it with "Hit-highlighting". To use this
functionality the user has to supply the CiWebhitsfile parameter to
the null.htw object.
The null.htw object has to be accessed from a non-existant directory,
for example http://anyiisweb.com/foo/null.htw
It is possible to use null.htw or other object specified at the
CiTemplate template.
IV. PROOF OF CONCEPT
-------------------------
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.asp
x&CiRestriction=b&CiHiliteType=full
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.t
xt&CiRestriction=b&CiHiliteType=full
V. BUSINESS IMPACT
-------------------------
The impact depends on the web contents. Attackers could gain access to
all protected documents, and ASP code.
When an attacker accesses a trusted zone, the probability to get
command execution is higher.
VI. SYSTEMS AFFECTED
-------------------------
Internet Information Services Version 5, any Service Pack.
VII. SOLUTION
-------------------------
Protect the files from the NTFS filesystem instead of relying on the
IIS protection.
Microsoft recommends not to use IISv5 and update to IISv6.
VIII. REFERENCES
-------------------------
http://support.microsoft.com/kb/328832
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com)
X. REVISION HISTORY
-------------------------
December 15, 2006: Initial release
March 19, 2007: Latest revision
March 27, 2007: First notification to the vendor.
Response: under revision.
April 11, 2007: The vendor considers little changes in their KB.
April 12, 2007: We accept it and propose add comments about the
severity of the problem. Rejected by vendor.
May 21, 2007: Published. As the publish information is
considered really not detailed.
XI. DISCLOSURE TIMELINE
-------------------------
December 15, 2006: Vulnerability acquired by
Jesus Olmos Gonzalez (Internet Security Auditors)
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum