IIS Reveals File Contents

Active Server Pages Vulnerable to Code Exposure
Reported July 1, 98 by Paul Ashton on NTBugTraq

SYSTEMS AFFECTED
  • Microsoft Internet Information Server versions 1.0, 2.0, 3.0 and 4.0
  • Microsoft Peer Web Server versions 2.0, 3.0
  • Microsoft Personal Web Server version 4.0 on Windows NT 4.0 Workstation

DESCRIPTION

A problem was discovered that affects Microsoft Internet Information Server (IIS). Web clients can read the contents of any NTFS file in an IIS directory to which they have been granted "read access", including Active Server Pages scripts. The main data stream, which stores the primary content, has an attribute called $DATA. Accessing this NTFS stream via IIS from a browser may display the contents of a file that is normally set to be acted upon by an Application Mapping.

The problem does not allow the user to modify the script or to execute arbitrary code.

According to Microsoft, for the problem to occur:

  • The user must know the name of the file
  • The ACLs on the file must allow the user read access
  • The file must reside on an NTFS partition

HOW IT WORKS

To test for the vulnerability on your systems, choose a URL with an .ASP extension and append the string "::$DATA". For example:

http://www.somedomain.com/scripts/test.asp::$DATA

MICROSOFT"S RESPONSE

Microsoft has produced a hotfix for Microsoft Internet Information Server versions 3.0 and 4.0. Additionally, some administrative workarounds are included in the document located at:

http://www.microsoft.com/security/bulletins/ms98-003.htm

HOW TO FIX IT

People using IIS versions 3.0 and 4.0 should apply the hotfix -- users of previous versions of IIS should consider upgrading to a more recent version (3.0 or 4.0). The following hotfixes are available from the Microsoft FTP site:

ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/

  • IIS 3.0 (Intel x86) hotfix, /iis3-datafix/iis3fixi.exe
  • IIS 3.0 (Alpha) hotfix, /iis3-datafix/iis3fixa.exe
  • IIS 4.0 (Intel x86) hotfix, /iis4-datafix/iis4fixi.exe
  • IIS 4.0 (Alpha) hotfix, /iis4-datafix/iis4fixa.exe

User who cannot apply the hot fix can remove "read" access for all .ASP files for non-admin user accounts. Additionally, the Application Maps can be modified to include ".ASP::$DATA"

More details on this workaround are available in Microsoft"s Knowledge Base article Q188806 

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by: Paul Ashton on NTBugTraq
Posted here at NTSecurity.Net July 10, 1998
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish