Home Page  NT Security Risks Archive  NT Security Tools  NT Security Books at ComputerLiteracy.com  Contact Information   Advertise on This Site     Translate This Page

NT SECURITY NEWS  8/3/99


WebTrends Security Analyzer!

NT SECURITY - ASP Bypasses IIS Settings

ASP Bypasses IIS Settings
Reported May 13, 1999 by Toby Gramm

VERSIONS EFFECTED
  • IIS Web Servers with ASP support
DESCRIPTION

IIS employs a technology knows as Active Server Pages (ASP.) The ASP technology allows programmatic control over various aspects of a Web user interface, and supports various programming languages including VBScript and PERL.

IIS has a security feature that allows a Webmaster to set a given directory as non-browseable -- that is to say, a Web surfer could not browse the contents of directory when that directory has been set to disallow browsing. And in theory, a user should not be able to navigate outside of a given Web site.

However, using some relatively simple code, an ASP program could easily browse any directory, and even navigate outside of the Web root accessing any directory on any file system that has been set to allow the Everyone group Read access. Under that same circumstances, with a bit more code, a user could easily copy any file and download it to their local hard drive.

As an example, the %SYSTEMROOT%\Repair directory is set by default to allow the Everyone group Read and Execute access, thereby exposing sensitive files, such as the SAM._ file, to an intruder's whim via the IIS Web server.

This risk has serious implications for IIS-based Web sites that routinely allow ASP code to be placed on their systems -- especially Web hosting companies. To complicate matters, certain third party tools encrypt ASP program files so that they may only be executed and not be viewed in clear text, thus making discovery of such code hard to achieve.

THIS RISK HAS BEEN REPORTED IN DIFFERING VARIATIONS IN THE PAST. We're posting it in order that people become more aware of the implications.

DEMONSTRATION

This CODE will display any directory on any file system that allows Read access to the Everyone group or the IUSR_MACHINENAME account. This demo code does not provide the mechanism to perform actual file copying or file viewing -- however, adding such code is a trivial matter for a semi-knowledgable programmer.

VENDOR COMMENTS  

Microsoft has been informed of this issue.

As noted in the past by various sources, the FileSystemObject on IIS is dangerous if the file system permissions are left too loose.

As always, audit your file system and ensure that any sensitive directories and files do not allow the Everyone group read access. And if multiple Web sites are hosted by the same IIS installation, highly consider running each site under a different user account to limit their exposure across different virtual Web sites.

CREDITS
Reported by
Toby Gramm - http://www.techfools.com/code/dir
Posted here at The NT Shop on May 13, 1999


Get NTManage NOW!

Copyright (c) 1995-1999, M.E. - ALL RIGHTS RESERVED
Unauthorized duplication expressly prohibited
LINK TO THIS PAGE INSTEAD OF VIOLATING OUR COPYRIGHT