You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ian Kluft <ik...@cisco.com> on 1998/01/31 03:00:03 UTC
CIAC advisory about NT web servers
CIAC sent this advisory about vulnerabilities of NT-based NS and IIS web
servers. Since it appears to be a problem associated with NT in general,
someone with access to an Apache NT server may want to take a look at this.
Sorry about the long message... it was bordering on the decision whether or
not to send a URL. This is important so I opted for the message.
--
Ian Kluft KO6YQ PP-ASEL Cisco Systems, Inc.
ikluft@cisco.com (work) ikluft@thunder.sbay.org (home) San Jose, CA
Forwarded message:
> Date: Fri, 30 Jan 1998 14:51:52 -0800 (PST)
> From: CIAC Mail User <ci...@tholia.llnl.gov>
> Message-Id: <19...@tholia.llnl.gov>
> To: ciac-bulletin@tholia.llnl.gov
> Subject: CIAC Bulletin I-025A: Windows NT based Web Servers File Access Vulnerability
>
> [ For Public Release ]
> -----BEGIN PGP SIGNED MESSAGE-----
>
> __________________________________________________________
>
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________________
>
> INFORMATION BULLETIN
>
> Windows NT based Web Servers File Access Vulnerability
>
> January 30, 1998 21:00 GMT Number I-025A
> ______________________________________________________________________________
> PROBLEM: Some Windows NT based web servers allow access to 8.3 format
> filenames. This can allow unauthorized access to files via
> their 8.3 compatible name.
> PLATFORM: Microsoft Internet Information Server and Peer Web Server 4.0,
> Netscape FastTrack 2.x
> DAMAGE: By exploiting this vulnerability, remote users may gain
> unauthorized access to files accessed by the web server.
> SOLUTION: Apply the fixes listed in Section 3 of this advisory.
> ______________________________________________________________________________
> VULNERABILITY Exploit information involving this vulnerability has been made
> ASSESSMENT: publicly available.
> ______________________________________________________________________________
>
>
> Introduction
> ============
>
> Windows NT file systems support filenames of up to 255 characters. For
> compatibility purposes, a short filename (the 8.3 filename) is usually
> created for each file, and can be used by older applications to access
> directories and files with long names. Web server file protection of
> directories and files in long filename (not 8.3) formats can often allow
> access to the short name (8.3) equivalent without restriction. Some
> Windows NT based Web servers base their access control check for permissions
> using the long filename only, and do not include the short name that may
> be used as an alias. For example, if there was a file named
> noteightdotthree.htm, and it was protected at the file level by the web
> server (NOT the NTFS file system itself), the access of the short name
> noteig~1.htm is possible. This also applies to directories. Note that NTFS
> level file restrictions are always applied correctly because they are not
> inherently tied to the long name, but to the name stored on disk, which the
> long name references. Some web servers allow you to set access permissions
> in places other than NTFS, however it is the implementation of these controls
> that are causing the vulnerability.
>
> The characteristics of this vulnerability also appear in IIS 3.0 and PWS
> 3.0, but only at the directory level. Using the long file name IIS or PWS
> 3.0 to protect an execute only directory inside a read-execute or read-only
> is not recommended. Microsoft has stated that they do not consider it a
> bug, but a 'bad' practice.
>
> This vulnerability may easily affect other Windows NT based WWW servers.
> CIAC recommends that you check with your vendor to ensure your WWW server
> does not exhibit this characteristic.
>
> Problem
> =======
>
> This vulnerability permits attackers to gain unauthorized access to files
> on the Web server. It may be used to download the source code of
> server scripts in some configurations. If exploited it can give an
> intruder access to any file that the web server can access.
>
> Prevention
> ==========
>
> Microsoft IIS 4.0 and PWS 4.0
> ==============================
>
> Microsoft has developed a hot-fix to correct the problem. CIAC has
> verified that the hot-fix corrects the problem described above, but has
> not done any regression testing. Instructions for installing it are
> available from Microsoft. Microsoft recommends that you update your
> Emergency Repair Disk before you apply the patch, as they have not
> regression tested the hot-fix.
>
>
> Microsoft's patch location:
>
> Windows NT 4.0 (CIAC recommends that Service Pack 3 is installed first):
>
> ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/sfn-fix/
>
>
>
> Microsoft IIS 3.0 and PWS 3.0
> ==============================
>
> Although Microsoft does not consider this a bug, CIAC recommends that you
> ensure directory access controls are not nested. Verify that WWW server
> protections are not being used to enforce protection for execute-only
> directories that reside in read-only or read-execute directories.
>
>
> Netscape FastTrack 2.x
> =======================
>
> Netscape will be producing patches.
>
>
> _______________________________________________________________________
> Thanks to:
> NtBugtraq Mailing List (NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM)
> David LeBlanc <dl...@iss.net>
> Michael Howard <mi...@microsoft.com>
> _______________________________________________________________________
>
>
> CIAC, the Computer Incident Advisory Capability, is the computer
> security incident response team for the U.S. Department of Energy
> (DOE) and the emergency backup response team for the National
> Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
> National Laboratory in Livermore, California. CIAC is also a founding
> member of FIRST, the Forum of Incident Response and Security Teams, a
> global organization established to foster cooperation and coordination
> among computer security teams worldwide.
>
> CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
> can be contacted at:
> Voice: +1 510-422-8193
> FAX: +1 510-423-8002
> STU-III: +1 510-423-2604
> E-mail: ciac@llnl.gov
>
> For emergencies and off-hour assistance, DOE, DOE contractor sites,
> and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
> 8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
> or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
> Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
> duty person, and the secondary PIN number, 8550074 is for the CIAC
> Project Leader.
>
> Previous CIAC notices, anti-virus software, and other information are
> available from the CIAC Computer Security Archive.
>
> World Wide Web: http://www.ciac.org/
> (or http://ciac.llnl.gov -- they're the same machine)
> Anonymous FTP: ftp.ciac.org
> (or ciac.llnl.gov -- they're the same machine)
> Modem access: +1 (510) 423-4753 (28.8K baud)
> +1 (510) 423-3331 (28.8K baud)
>
> CIAC has several self-subscribing mailing lists for electronic
> publications:
> 1. CIAC-BULLETIN for Advisories, highest priority - time critical
> information and Bulletins, important computer security information;
> 2. SPI-ANNOUNCE for official news about Security Profile Inspector
> (SPI) software updates, new features, distribution and
> availability;
> 3. SPI-NOTES, for discussion of problems and solutions regarding the
> use of SPI products.
>
> Our mailing lists are managed by a public domain software package
> called Majordomo, which ignores E-mail header subject lines. To
> subscribe (add yourself) to one of our mailing lists, send the
> following request as the E-mail message body, substituting
> ciac-bulletin, spi-announce OR spi-notes for list-name:
>
> E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
> subscribe list-name
> e.g., subscribe ciac-bulletin
>
> You will receive an acknowledgment email immediately with a confirmation
> that you will need to mail back to the addresses above, as per the
> instructions in the email. This is a partial protection to make sure
> you are really the one who asked to be signed up for the list in question.
>
> If you include the word 'help' in the body of an email to the above address,
> it will also send back an information file on how to subscribe/unsubscribe,
> get past issues of CIAC bulletins via email, etc.
>
> PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
> communities receive CIAC bulletins. If you are not part of these
> communities, please contact your agency's response team to report
> incidents. Your agency's team will coordinate with CIAC. The Forum of
> Incident Response and Security Teams (FIRST) is a world-wide
> organization. A list of FIRST member organizations and their
> constituencies can be obtained via WWW at http://www.first.org/.
>
> This document was prepared as an account of work sponsored by an
> agency of the United States Government. Neither the United States
> Government nor the University of California nor any of their
> employees, makes any warranty, express or implied, or assumes any
> legal liability or responsibility for the accuracy, completeness, or
> usefulness of any information, apparatus, product, or process
> disclosed, or represents that its use would not infringe privately
> owned rights. Reference herein to any specific commercial products,
> process, or service by trade name, trademark, manufacturer, or
> otherwise, does not necessarily constitute or imply its endorsement,
> recommendation or favoring by the United States Government or the
> University of California. The views and opinions of authors expressed
> herein do not necessarily state or reflect those of the United States
> Government or the University of California, and shall not be used for
> advertising or product endorsement purposes.
>
> LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>
> I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
> I-016: SCO /usr/bin/X11/scoterm Vulnerability
> I-017: statd Buffer Overrun Vulnerability
> I-018: FTP Bounce Vulnerability
> I-019: Tools Generating IP Denial-of-Service Attacks
> I-020: Cisco 7xx password buffer overflow - DOS
> I-021: "smurf" IP Denial-of-Service Attacks
> I-022: IBM AIX "routed" daemon Vulnerability
> I-023: Macro Virus Update
> I-024: CGI Security Hole in EWS1.1 Vulnerability
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 4.0 Business Edition
>
> iQCVAwUBNNJUkLnzJzdsy3QZAQGIiQQAkwZr21E0LTTeVwT+0BmzdnXSCDbZ4i5g
> XveNQ6lPPRTi1RK7gZQZgtWG0P2N6UAF5LyXzMZCh4XpiXwfghN0A7/1sI5GBAF0
> cLWJVCmV8EEALij4pamSQYiFzAMCawcQxP1kANGQcI//0grBiQxQOiSTWobVZRwm
> tQwrHbbAEpo=
> =Q35R
> -----END PGP SIGNATURE-----
Re: CIAC advisory about NT web servers
Posted by Brian Behlendorf <br...@organic.com>.
At 06:00 PM 1/30/98 -0800, Ian Kluft wrote:
>CIAC sent this advisory about vulnerabilities of NT-based NS and IIS web
>servers. Since it appears to be a problem associated with NT in general,
>someone with access to an Apache NT server may want to take a look at this.
If only CIAC credited the source of the original report, you'd realize
we've looked into this. :)
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
specialization is for insects brian@organic.com
Re: CIAC advisory about NT web servers
Posted by Marc Slemko <ma...@worldgate.com>.
On Fri, 30 Jan 1998, Ian Kluft wrote:
> CIAC sent this advisory about vulnerabilities of NT-based NS and IIS web
> servers. Since it appears to be a problem associated with NT in general,
> someone with access to an Apache NT server may want to take a look at this.
>
> Sorry about the long message... it was bordering on the decision whether or
> not to send a URL. This is important so I opted for the message.
Naw, we would never be vulnerable to something that dumb. Only a real
moron programmer could have a security hole that big. (note that I
am only saying this so someone can point out a hole just as bad in
Apache for NT, which I don't doubt exists, so it can be fixed...)
In fact, I happen to be the one that found the hole refered to in the
CIAC advisory. <g>
Hmm... Netscape has only taken.. what... nearly a month so far and
still no patch?