COMMAND
IDQ
SYSTEMS AFFECTED
Microsoft Windows NT 4 running Internet Information Server 3 or 4
PROBLEM
David Litchfield found following. Any web site running Internet
Information Server 3 or 4 and using Internet Data Query files to
provide search functionality on the site may be exposed. IIS also
comes with some sample IDQ scripts that are vulnerable so any
website with these sample files left on are at risk. Using these
IDQ scripts or even custom scripts it is possible to break outside
of the web virtual root and gain unathorized access to files, such
as log files and in certain cases the backup version of the
Security Accounts Manager (sam._)
It does require for the attacker to know the path to the file,
for the file to be on the same logical disk drive as the IDQ file
and for ACL to allow read access to the anonymous Internet account
or the Everyone/guests group.
The extent of this security hole depends upon whether the recent
"webhits" patch has been installed. See
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
If the patch has been installed there is still a vulnerability -
however, those that have not installed this patch are most at
risk. Microsoft are re-releasing this advisory and the updated
patch. Please note that Windows 2000 does not seem to be
vulnerable to this. Cerberus' vulnerability scanner, CIS, has
now been updated to check for this issue. For those that already
have a copy of the scanner you can download the updated module
from
http://www.cerberus-infosec.co.uk/webscan.dll
However those that do not yet have the scanner, if you would like
a copy please go to http://www.cerberus-infosec.co.uk/ and follow
the Cerberus Internet Scanner link on the frontpage.
If the "webhits" patch HAS NOT been installed
=============================================
Any idq file that resolves remote user input for any part of the
template file is dangerous. eg:
CiTemplate = %TemplateName%
The ISAPI application that deals with IDQ queries is idq.dll and
it will follow double dots in paths to template files, meaning an
attacker can break out of the web root. If the idq file appends
.htx to the CiTemplate eg:
CiTemplate=/iissamples/issamples/%TemplateName%.htx
some may think this will limit attackers to viewing only .htx
files. Not so. Quoting from the Index Server documentation
(/iishelp/ix/htm/ixidqhlp.htm), "Index Server does not support
physical paths longer than the Windows NT shell limit (260
characters)." Due to this limit it is possible to append lots of
spaces onto the name of the file we want to read and thereby
pushing the .htx out of the buffer and we're served back the file.
IDQ files known to be at risk in one way or another:
prxdocs/misc/prxrch.idq
iissamples/issamples/query.idq
iissamples/exair/Search/search.idq
iissamples/exair/Search/query.idq
iissamples/issamples/fastq.idq
There are may be more.
If the "webhits" patch HAS been installed
=========================================
Machines that have had the patch installed will only be vulnerable
if the IDQ file does not specify a .htx extention eg:
CiTemplate = %TemplateName%
and
CiTemplate = /somedir/otherdir/%TemplateName%
are vulnerable whereas
CiTemplate = /somedir/otherdir/%TemplateName%.htx
is not vulnerable.
SOLUTION
Review your IDQ files to determine if you are at risk. If so edit
them and use hardcoded template files. eg
CiTemplate=%TemplateName%
to
CiTemplate=/your-virtual-directory/your-htx-file.htx
and then edit your search form to reflect this change. Remove any
sample files from the system - not just idq files. Apply the
updated patch.