COMMAND
IIS
SYSTEMS AFFECTED
MS IIS 4 & 5
PROBLEM
Ramses Rodenburg found following. He recently confirmed some
rather severe misbehaviour of the FTP service in IIS4/NT4SP6a
_and_ IIS5/W2K-Server (IIS 3 might probably be affected as well).
The bug effectively renders useless all means of access-control
on any physical path from a drive's root directory down to where
IIS first needs to physical access a directory with 'NTFS
Execute' permissions.
Take, for instance, the following scenario:
<FTProot> (homedir for FTP site)
|--user1 (virtual homedir for user1)
| |--webroot1 (virtualized UNC share)
| |--webroot2 (virtual dir to C:\TEMP)
| `--webroot3 (physical dir _under_ 'user1')
`--user2 (virtual homedir for user2)
`--webroot1 (virtualized UNC share)
When user2 logs on to the FTP server, it has to have at least (X)
permissions on the ftproot in order to be able to CD into it. IIS
notices the presence of a virtdir called 'user2' and CDs into it.
Of course, the physical dirs to which 'user1' and 'user2' point
have NTFS permissions set to only allow their respective owners
Full Control.
Now consider user2 somewhat smart by deducing there must be
another user called 'user1'. User2 tries a 'cd /user1'. As
expected, by NTFS permissions, user2 is denied access to user1's
homedir. User2 doesn't let go that easily and tries some more by
a 'cd /user1/webroot1', this being the logical deduction of the
presence of a directory called '/user1/webroot1' in user2's
homedir. User2 gets a nice '250 CWD command successful' on this
one - WITH full necessary permissions to modify whatever content
is available there, as all the right account info was entered in
the MMC password box for the virtualized UNC share!!! He gets
whatever permissions are given to the groups in which he is a
member. This could include any or all of EVERYONE, Users,
NETWORK, and INTERACTIVE depending on how the machines are set up.
Everything user2 has done so far is completely normal and
everything up to now behaves completely as expected, including
the ability of user2 to access '/user1/webroot1', because no ACLs
can be set on virtual directories whatsoever.
The 'hack' -for as far this qualifies as a one- continues; user2
does a 'cd /user1/webroot2' to see what else is available. Again,
regardless of the NTFS permissions on the real directory behind
/user1, only the ACLs on the physical directory called 'webroot2'
are examined. If there's an 'Everyone:F' ACL which, except when it
says 'Everyone:C', mostly there is, user2 can do everything
thinkable. Weird situation here: 'cd ..' fails with an 'Access
denied' message :c).
Now here's the punchline: user2, like having a walk in the park,
gives a 'cd /user1/webroot3' a try. Not to user2's surprise,
access is granted. Which, from an my point of view, is pretty
bizarre. One would think IIS has to be able to enumerate the
physical directory behind '/user1' in order to even verify the
presence 'webroot3/' - let alone be able to CWD into it!
It should _NOT_ be possible to CD through (=NTFS execute) a
directory one does not have permissions for. Hence, this is
a _severe_ bug in IIS.
Below is a communications log, in which an FTP login done by the
user 'user2'. User2 does not have permissions to access
directory 'user1'. Nevertheless, the user IS allowed to change
directories to directories 'user1/webroot[123]'.
Connecting to 192.168.0.134, Port 21 (#1)
Connected. Waiting for response.
220 ftptester Microsoft FTP Service (Version 5.0).
USER user2
331 Password required for user2.
PASS xxxxxx
230 User user2 logged in.
SYST
215 Windows_NT version 5.0
REST 100
350 Restarting at 100.
REST 0
350 Restarting at 0.
PWD
257 "/user2" is current directory.
TYPE A
200 Type set to A.
PORT 192,168,0,16,12,32
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
Transfer done: 46 bytes in 0.000 secs (46.00 k/sec)
CWD ../user1/webroot2
250 CWD command successful
PWD
257 "/user1/webroot2" is current directory.
CWD ..
550 ..: Access is denied.
CWD ../..
250 CWD command successful.
CWD user1
550 user1: Access is denied.
CWD user1/webroot2
250 CWD command successful.
CWD ../../user1/webroot2
250 CWD command successful.
CWD ../..
250 CWD command successful.
PWD
257 "/" is current directory.
TYPE A
200 Type set to A.
PORT 192,168,0,16,12,32
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
Transfer done: 0 bytes in 0.000 secs (0.00 k/sec)
CWD /user1
550 /user1: Access is denied.
PWD
257 "/" is current directory.
CWD /user1/webroot1
250 CWD command successful.
PWD
257 "/user1/webroot1" is current directory.
TYPE A
200 Type set to A.
PORT 192,168,0,16,12,37
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
Transfer done: 149 bytes in 0.120 secs (1.24 k/sec)
...
...
...
SOLUTION
Removing the 'Bypass Traverse Checking' will fix it. To be sure,
you'll probably have to reboot the machine though.