COMMAND
IIS
SYSTEMS AFFECTED
WinNT with IIS
PROBLEM
Aris Yahnis found following. He has a system with IIS 4.0
installed + sp5 and noticed something wierd. If a user has on his
page a file misc.lnk wich was created in his own probably NT box,
and this file points anywhere on the web servers file, then when
he will try to view the file he will be able to see the contents
of the file the .lnk points to.
Example xploit. Find a web hosting site,create a fictious
account, make a shortcut of a file you would like to see ex.
c:\winnt\profiles\administrator\ntuser.dat upload the .lnk file
to the web server and then go ask for it. Answer yes to open the
file remotely (or something like that).
When you choose yes to open the file what actually happens is, it
downloads the .lnk file to your hard drive and executes it...
therefore opening the link to the file on YOUR hard drive, unless
you have NetBIOS and it could get it from the remote server that
way depending if you have access or not bla bla bla, and not the
remote server. For example if you create a symlink file called
'mang.lnk' and stuck it in my wwwroot and then did a get request
on it and it returned the contents of the .lnk file.... when you
click "Open" from within IE/Netscape... it does a get request on
the file and saves it to your hard drive and runs it. It doesn't
sound too much dangerous, but in real recure enviroments something
to avoid.
SOLUTION
The ability to follow links should be a feature to be enabled on
a per website basis. Of course, the general caveat to the *nix
version of this, is that the file to be requested must be readable
by the webserver. So files like /etc/shadow could not be
displayed in most server configurations, but files like
/etc/passwd could be. Maybe the real question is, "Should NT
allow the webserver to read files that could cause someone to
exploit a security hole?" Or maybe "Should those NT
Administrators allow the user IIS run's under to view these
files."