COMMAND

    wguest.exe

SYSTEMS AFFECTED

    NT with wguest.exe

PROBLEM

    David Litchfield has recently discovered a bug in wguest.exe  that
    can allow any remote attacker to view any text based file on  your
    computer.   wguest.exe  is  a   CGI  script  designed  by   Webcom
    Datakommunikation, a Swedish based  company, that allows users  to
    sign a guestbook.   A search on  Altavista shows 103  servers have
    this program...there are obviously many  more than this.  The  web
    page form  from where  you add  your information  has a  number of
    "hidden" input types. One of these is as follows:

        input type="hidden" name="template"
        value="c:\inetpub\wwwroot\gb\template.htm">

    or

        input type="hidden" name="template" value="/gb/template.htm">

    Template.htm here is the file that will be displayed by wguest.exe
    after the user  has entered his  information.  To  exploit this an
    attacker views the  source and saves  the document to  his desktop
    and edits this line by changing the path to whatever file he wants
    to view, eg.

        input type="hidden" name="template"
        value="c:\winnt\system32\$winnt$.inf">

        [If an unattended install was  done the admin password can  be
        gleaned from this file]

    He then clicks on "Submit"  and then wguest.exe will display  this
    file.  Note sam._ in  the winnt\repair directory cannot be  viewed
    or  downloaded  exploiting  this.   This  was  not tested with pwl
    files.  However the attacker must know the exact path of the  file
    he wishes to view.

SOLUTION

    Remove vulnerable  cgi until  new one  comes out  or use something
    else.