Personal web server

kiborg (contact@kiborg.net)
Wed, 17 Jan 1996 22:30:13 +0200 


Hello,

Sorry if this has already been known. But i didn't find something of the
sort.
While playing with Microsoft Personal Web Server
(Frontpage-PWS32/3.0.2.926).
I found that the following URL will list the root directory and be able to
download any file you want.
http://www.victim.com/....../

Index of /....../

  WINDOWS
  My Documents
  Program Files
  FrontPage Webs
  AUTOEXEC.BAT
  COMMAND.COM

and so on.......

-----
contact@kiborg.net     Tavo laiskai, Lietaus lasai,
http://www.kiborg.net     Papasakos man tiek daug pa pa-rara !

---------------------------------------------------------------------------

Re: Personal web server

Sean Coates (sean@SPATULA.ML.ORG)
Mon, 18 Jan 1999 14:12:32 -0400 


kiborg wrote:

> Hello,
>
> Sorry if this has already been known. But i didn't find something of the
> sort.
> While playing with Microsoft Personal Web Server
> (Frontpage-PWS32/3.0.2.926).
> I found that the following URL will list the root directory and be able to
> download any file you want.
> http://www.victim.com/....../
>

That seems to be fixed in the windows98 version of PWS

(http://24.231.6.49/....../ returns server error 161)

Sean Coates
scoates@usa.net
sean@spatula.ml.org

---------------------------------------------------------------------------

Date: Tue, 19 Jan 1999 10:21:24 -0800
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Personal web server

Here are some feedback from people. Results vary wildly.

No:

Windows NT 4.0 SP3 ("kiborg" <contact@kiborg.net>)
Windows NT 4.0 SP4 (Russ)
Windows NT 4.0 SP4 PWS 4.02.0622
Windows 2000 beta 2 ("John Sweeney" <quantium@mediaone.net>)
Windows 98 (Sean Coates scoates@usa.ne)

Yes:

Windows 95 ("kiborg" <contact@kiborg.net>)
Windows 98 ("kiborg" <contact@kiborg.net>)
Windows 98 + fixes & patches ("David Schwartz" <davids@webmaster.com>)

Someone mentioned this may be the fault of FrontPage. It asks you to install PWS
when you install FP. It may be possible that FP is configuring PWS in such a way
to leave it open.

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

---------------------------------------------------------------------------

Date: Thu, 18 Jan 1996 23:44:37 +0200
From: kiborg <contact@kiborg.net>
To: BUGTRAQ@netspace.org
Subject: Re: Personal web server


>An attempt to do this on a Windows NT 4.0 WS (with SP4) failed with a
>404 error as expected.
Yes on NT 4.0(SP3) i get the same.

404 Not Found
The requested URL /....../ was not found on this server.

>Maybe Kiborg can tell us on what platform this was successfully
>performed on together with what, if any, security was configured on said
>box.
I did check on :
 Win95 worked.
 Win98 worked.
and on NT 4.0 (SP3) failed with 404 error.

>
>Obviously /....../ shouldn't match to any directory by any convention
>I'm aware of, so its clearly some sort of problem. To determine,
>however, the extent of the risks for Win9x users of PWS we should know
>how the site was being secured, configured, and accessed.

Well i discovered what http://127.0.0.1/..../ or http://127.0.0.1/........./
(must be more than 3 dots /..../) will show the root directory.


-----
contact@kiborg.net     Tavo laiskai, lietaus lasai
http://www.kiborg.net    papasakos man tiek daug pa pa-rara !

---------------------------------------------------------------------------

Date: Tue, 19 Jan 1999 13:51:48 -0800
From: Michael Howard <mikehow@MICROSOFT.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Personal web server

the frontpage team are looking at it now - as sean noted, the iis codebase
in pws does not have this issue. i'll fwd more info to this alias as soon as
i get more info from the fp team.

Cheers, MH
IIS Security

---------------------------------------------------------------------------

Date: Tue, 19 Jan 1999 15:13:51 MST
From: Fredrick Moore <fdmore@USA.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Personal Web Server

>From: Ilya Varlashkin <ilya@ripn.net>
>GET /....../
><HEAD><TITLE>404 Not Found</TITLE></HEAD>
><BODY><H1>404 Not Found</H1>
>The requested URL /....../ was not found on this server.<P>
></BODY>
>Connection closed by foreign host.

Kiborg <contact@kiborg.net> was rite, it works. My testings.
Server: FrontPage-PWS32/3.0.2.926
OS: Win95

During installation process i installed only PWS without any other

components. Let's test
http://127.0.0.1/....../

Index of /....../
(worked)

I removed PWS, and installed Typical setup (including: FrontPage client
software, personal web server, FrontPage extensions)
Let's test.
http://127.0.0.1/....../

404 Not Found
The requested URL /....../ was not found on this server.
(failed)

Ok let's run command.com
C:\windows\other\dirs\>cd \......\
C:\>
Maybe this is the problem?
Does this work with Win98??

>So it seems something is wrong with your PWS settings
Maybe, but i installed freshly without changing anything. Anyway i
think microsoft must check this out.

---------------------------------------------------------------------------

Date: Tue, 19 Jan 1999 18:37:55 -0400
From: Sean Coates <sean@SPATULA.ML.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Personal web server

Michael Howard wrote:

> the frontpage team are looking at it now - as sean noted, the iis codebase
> in pws does not have this issue. i'll fwd more info to this alias as soon as
> i get more info from the fp team.
>
> Cheers, MH
> IIS Security
>

 It seems that servers which are branded "IIS" _DO_ have the problem, and
servers branded with "PWS" do NOT have the problem. For instance, the server at
24.231.6.49 returns a server version of "Microsoft-PWS-95/2.0" yet the server at
24.231.6.205 returns "Microsoft-IIS/4.0" and the server at
24.231.6.2(www.ebci.ca) returns "Microsoft-IIS/4.0 Beta 3".

the *.49 server is not vulnerable, and neither is the *.2 server, but the *.205
server IS vulnerable (I told the admin of this machine about the problem, so it
may be fixed by the time this reaches bugtraq.)

By talking to the admin of each server, I've concluded that the *.49 server is a
downloaded version of PWS, running on windows98, the *.205 server is PWS from
the windows98 CD (OEM, as far as I know), running on Win98, and the *.2 server
is actually IIS, running on Windows NT Server 4.

Sorry about the confusion of my earlier post, hope this clears it up.
My luck, it'll probably just make it worse. (-;

Sean Coates
sean@spatula.ml.org
scoates@usa.net

---------------------------------------------------------------------------

Date: Wed, 20 Jan 1999 11:57:19 +0300
From: Victor Lavrenko <lavrenko@MCST.RU>
To: BUGTRAQ@netspace.org
Subject: Bug in IIS and PWS but only for Windows 9x. Re: Personal web              server

>>>>> "Aleph" == Aleph One <aleph1@UNDERGROUND.ORG> writes:

Hello everybody.

This bug exists because Windows 9x has a nice feature. When you
excecute "cd .." it goes to the parent directory, and "cd ..." goes to
the parent directory of parent directory etc. Windows NT has no such
feature so it isn't exploitable.

IIS 4.0 and PWS 3.0 exploitable while executed under Windows 9x only,
not Windows NT.

    Aleph> No:

    Aleph> Windows NT 4.0 SP3 ("kiborg" <contact@kiborg.net>) Windows
[skip]
    Aleph> Windows 98 (Sean Coates scoates@usa.ne)

Sean checked box with PWS 2.0. Due to another bug in its core, it
seems that is not exploitable. PWS 3.0 doesn't have such bug so it is
exploitable.

    Aleph> Yes:

    Aleph> Windows 95 ("kiborg" <contact@kiborg.net>) Windows 98
[skip]
    Aleph> it open.

PWS and IIS (they have the same core) check for ".." in URL, but don't
check for "...", "...." etc.

Summary:

1. IIS 4.0 and PWS 3.0 exploitable under Windows 9x.
2. IIS (any version) and PWS (any version) not exploitable under
   Windows NT.
3. PWS 2.0 and (possibly) IIS 3.0 not exploitable under Windows 9x.

--
Victor Lavrenko
   Homepage:        http://www.lavrenko.pp.ru/
   E-mail:          lavrenko@mcst.ru  lavrenko@cs.msu.su
   Fingerprint:     35 D0 98 8D 96 E5 F4 BA  59 FB 9D 29 92 26 F5 59

---------------------------------------------------------------------------

Date: Wed, 20 Jan 1999 16:59:48 -0800
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Personal web server

Here is a summary of the problem so far. Windows 95/98 treat "...." as
"..\.." and "......" as "..\..\..". Personal Web Server does not check
for these "aliases" and allows the request. This can be used to
access files and directories above the virtual web root. Disabling
directory browsing only does what it says, disables directory browsing.
If an attcker can guess a path and name of a file, and it is in the same
drive as the web server, he can retrieve the file.

The problem only affects FrontPage Personal Web Server. This is the
version shipped with FrontPage. The version not affected is the
Microsoft Personal Web Server.

I tought we've seen the last of these Windows file aliases vulnerabilities.
Guess I was wrong. Incredible the amount of cruft the Windows file name
parser will take. Wonder what other wonderful aliases are waiting to be
discovered.

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

---------------------------------------------------------------------------

Date: Thu, 21 Jan 1999 12:03:57 -0800
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Personal web server

Thanks to Xiaoyong Wu <xiaoyong_wu@yahoo.com> for pointing out more
Windows weirdness.

Under Windows NT 4.0 SP3:

C:\> cd TEMP
C:\TEMP> cd ...
C:\TEMP> cd ....
C:\TEMP> cd .....
C:\TEMP>

[ It seems NT interprets N+3 dots as '.' ]

C:\TEMP> cd ..\
C:\>

[ It seems NT interprets '..\' as '..'. Makes sense as '\' is directory
  delimiter character for paths.  ]

C:\TEMP> cd ...\
C:\>
C:\> cd TEMP
C:\TEMP> cd ...\WINNT
C:\WINNT>

[ Whoa. Now NT interprets '...\' as '..'. Bad. Real bad. ]

C:\TEMP> mkdir TEST
C:\TEMP> cd TEST
C:\TEMP\TEST> cd ...\
The system cannot find the path specified.

[ Hmm. But it doesn't work in directories more that one deep. ]

C:\TEMP> cd ..\...\
C:\>

[ That figures. ]

C:\TEMP\TEST> cd ..\...
C:\TEMP> cd ....\
C:\TEMP>

[ Hmm. Now NT interprets '....\' as '..'. Weird. But wait it gets stranger. ]

C:\> cd TEMP
C:\TEMP> cd ....\
C:\TEMP> cd ....\
C:\>

[ Huh? The first '....\'  as interpreted as '.' and the second as '..'.
  But... ]

C:\> cd TEMP
C:\TEMP> cd TEST
C:\TEMP\TEST> cd ....\
C:\TEMP\TEST> cd ....\
The system cannot find the path specified.
C:\TEMP\TEST> cd ..
C:\TEMP\TEST> cd ..
C:\TEMP>

[ Now in a directory two levels deep the first '....\' is interpreted as '..'
  while the second one gives an error. The first '..' is interpreted as '.'
  while the second one works as normal. ]

C:\TEMP> cd ....\
C:\TEMP> cd TEST
The system cannot find the path specified.
C:\TEMP> cd .
C:\TEMP> cd TEST
C:\TEMP\TEST>

[ It seems that '....\' also breaks trying to cd to subdirectories. ]

The '....\' problems seems to appear for any such string with N+4 dots
followed by a slash. I can only guess on the many other ways they
may try to interpret pathnames.

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

---------------------------------------------------------------------------

Date: Fri, 22 Jan 1999 18:46:53 -0000
From: Ian O'Friel <genius@GLASGOW.CROSSWINDS.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Personal Web Server

I'm not sure if this point has been raised before now, but with the recent
issues containing about /....../ and so on, Shares are accessible via
personal Web Server.

For Example, I tried sharing my WinZip Directory as 'Test' and strangely
enough http://127.0.0.1/Test/ brought up the WinZip Directory.

Does anyone know of problems caused by this ?

Ian O'Friel