Microsoft IIS5 NTLM and Basic authentication bypass

2007.05.24
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

============================================= INTERNET SECURITY AUDITORS ALERT 2006-013 - Original release date: December 15, 2006 - Last revised: May 22, 2007 - Discovered by: Jesus Olmos Gonzalez - Severity: 5/5 ============================================= I. VULNERABILITY ------------------------- Microsoft IIS5 NTLM and Basic authentication bypass II. BACKGROUND ------------------------- Microsoft Internet Information Server Web Server can protect the private contents with a basic or NTLM authentication. Many web pages, intranets and extranets rely on Microsoft security. IISv5 has a "Hit-highlighting" functionality that opens some site object and highlights some part of it; that has had a transversal vulnerability in the past. Now it can be used to bypass the IIS authentication. This is poorly documented at KnowledgeBase http://support.microsoft.com/kb/328832, the real impact is detailed above. III. DESCRIPTION ------------------------- Any Internet user can access the private web directories and files of any IISv5 web, by highlighting it with "Hit-highlighting". To use this functionality the user has to supply the CiWebhitsfile parameter to the null.htw object. The null.htw object has to be accessed from a non-existant directory, for example http://anyiisweb.com/foo/null.htw It is possible to use null.htw or other object specified at the CiTemplate template. IV. PROOF OF CONCEPT ------------------------- https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.asp x&CiRestriction=b&CiHiliteType=full https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.t xt&CiRestriction=b&CiHiliteType=full V. BUSINESS IMPACT ------------------------- The impact depends on the web contents. Attackers could gain access to all protected documents, and ASP code. When an attacker accesses a trusted zone, the probability to get command execution is higher. VI. SYSTEMS AFFECTED ------------------------- Internet Information Services Version 5, any Service Pack. VII. SOLUTION ------------------------- Protect the files from the NTFS filesystem instead of relying on the IIS protection. Microsoft recommends not to use IISv5 and update to IISv6. VIII. REFERENCES ------------------------- http://support.microsoft.com/kb/328832 IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com) X. REVISION HISTORY ------------------------- December 15, 2006: Initial release March 19, 2007: Latest revision March 27, 2007: First notification to the vendor. Response: under revision. April 11, 2007: The vendor considers little changes in their KB. April 12, 2007: We accept it and propose add comments about the severity of the problem. Rejected by vendor. May 21, 2007: Published. As the publish information is considered really not detailed. XI. DISCLOSURE TIMELINE ------------------------- December 15, 2006: Vulnerability acquired by Jesus Olmos Gonzalez (Internet Security Auditors) XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top