COMMAND

    asp

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Paul Ashton  found following.   Following on  from the  last  .asp
    vulnerability  which  applied  to  URLs  ending in spaces, and the
    previous that  allowed .asps  to be  read if  they end  in ".", it
    turns out that there is yet another due to Alternate data streams.

    The unnamed data  stream is normally  accessed using the  filename
    itself, with  further named  streams accessed  as filename:stream.
    However,  the  unnamed  data  stream  can  also  be accessed using
    filename::$DATA.

    If you open:

        http://somewhere/something.asp::$DATA

    it turns out that you will be presented with the source of the ASP
    instead of the output.  Deja vu?!  It  is left as an  exercise for
    the  reader  to  thing  of  further implications in other programs
    running on  NT.   Obviously, anything  that to  tries to  restrict
    access based on filename instead of  ACLs is going to have a  hard
    time after  this and  the other  recent revelations.   Cold Fusion
    .CFM  files  are  visible  also,  but  when  READ disabled they do
     execute  properly,  so  make  sure  you  consider  all  forms  of
    executables and not just ASPs.   Perl Scripts are also  vulnerable
    (as they are executing files!).

    Apart from  the reported  ASP problems  Fred Donck  posted another
    way to  exploit this  which may  be just  as bad.   Apart from the
    http://www.domain.com/xxxx.asp::$DATA  in  ASP  applications there
    may  also  a  http://www.domain.com/global.asa  which  may contain
    session variables and  user-id/password combinations for  entering
    databases and the like.   If not patched this  is also subject  to
    the vulnerabilities.

    Affected Software Versions:

        - Microsoft  Internet  Information  Server versions 1.0,  2.0,
          3.0, 4.0
        - Microsoft Peer Web Server versions 2.0, 3.0
        - Microsoft Personal Web Server version 4.0 on Windows NT  4.0
          Workstation

SOLUTION

    Christoph Wille from Sofwing has graciously made available an  IIS
    ISAPI  filter  that   will  protect  a   site  from  the   ::$DATA
    vulnerability.  You can find if at:

        http://www.softwing.com/iisdev/ddatafix/

    Several  people  noted  that  enabling  extensions  with "::$DATA"
    added,  i.e.  ".asp::$DATA",  would  cause  them  to  be  executed
    instead of read.  This does work, and is faster than removing READ
    access from all of the files you are concerned about.

    Microsoft has posted a hotfix for IIS 3.0 and for IIS 4.0 as  well
    as a procedure for a workaround to address the $DATA issue on  its
    security web site:

        http://www.microsoft.com/security/bulletins/ms98-003.htm

    Customers  who  cannot  apply  the  hot  fix can use the following
    workaround to temporarily address this issue.  Normally, web users
    do not  need "read"  access to  script files,  such as .ASP files.
    They simply need "execute" permissions.  Removing "read" access to
    these  files  for  non-administrative   users  will  remove   this
    exposure.  For additional protection, the Application Maps can  be
    modified in  IIS 4.0  to take  into account  the existence  of the
    alternate  data  streams.  More  details  on  this  workaround are
    available in the Microsoft Knowledge Base article Q188806.