lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFB=mGB4x99YF_-mQtkUNPx_HzjLa6-0K3xw9VYFxFim_6uAww@mail.gmail.com>
Date: Tue, 17 Jul 2012 16:11:14 +0200
From: king cope <isowarez.isowarez.isowarez@...glemail.com>
To: Jan Reilink <janreilink@...ida.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Unpatched IIS Vulnerabilities / Microsoft
 July Security Bulletin

Hello Jan,
I did some additional tests for the IIS bugs.

* IIS 6.0 PHP authentication bypass is only possible on Windows Server
2003 SP1. SP2 seems unaffected
  So take that bug as resolved, my mistake as I didn't have a fully
patched system online when testing.

* For the IIS Classic ASP authentication bypass follow the following
steps to reproduce it:
	* Install .NET Framework 4.0
	* Configure the Application pools to use .NET Framework 4
	* Create a folder for the current website and put an ASP file inside the folder
	* disabled anonymous authentication on that folder and activate one
of the authentication types other than form based authentication
	* open the handler mappings in the current website pane, set ASP
classic file type to unspecified.
		This is important and I had omitted it in the past advisory. It took
me some time to find out that
		"Invoke handler only if request is mapped to" must be unchecked in
the handler mappings for ASP Classic
	* Use Google Chrome or Mozilla Firefox for testing as a client, IE9
will somehow deny the request.
	* Request http://<host>/<securefolder>::$INDEX_ALLOCATION/<aspfile>.asp
If you follow these configuration settings you will see the asp file
being executed without supplying credentials, even on Windows Server
2008 installations.
You can see this illustrated in the attachment i created.

Now to the ASP .NET source code disclosure...
Thanks for the workarounds using Rewrite engines.
I want to mention that the lines:
 <add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" />

 RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC]
for the rewrite engine are insufficient, because other extensions can
be affected too, like .cs for example.

Sorry for not clarifying correctly what the setup has to be for the
bugs to show up in the first place.

Have a nice day,

Kingcope

2012/7/17 Jan Reilink <janreilink@...ida.com>:
> [Hope this doesn't get double posted, removed bugtraq@...urityfocus.com]
>
> Hi,
>
> Op 16-7-2012 19:24, king cope schreef:
>> Hi Lists,
>
> [...]
>> The posting included some important bugs in the Internet Information
>> Services, one of their
>> flagship products:
>> http://seclists.org/fulldisclosure/2012/Jun/189
>>
>
> Nice find. Somehow I missed your e-mail from the 10th of June...
>
> Anyway, a proper configured IIS web server has its Request Restrictions
> (resourceType) set to 'File' in the PHP handler. Having this not
> configured, it can give you some nasty error messages ("No input file
> specified", if the requested file doesn't exist)
>
> If not configured, fix it with appcmd:
>
> appcmd set config /section:system.webServer/handlers
> "-+[name=`'PHP`',path=`'*.php`',verb=`'*`',modules=`'FastCgiModule`',scriptProcessor=`'path\to\php-cgi.exe`',resourceType=`'File`']"
>
> if you're unable to (maybe because you're a user, not an admin), you can
> deny certain URL sequences using IIS URL Rewrite or Helicon ISAPI_Rewrite:
>
> RewriteEngine On
> # DenyPHPafterASPX
> RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC]
> RewriteRule .? / [F,L]
>
> <rewrite>
>   <rules>
>     <rule name="DenyPHPafterASPX" stopProcessing="true">
>       <match url=".?" ignoreCase="false" />
>       <conditions logicalGrouping="MatchAll">
>         <add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" />
>       </conditions>
>       <action type="CustomResponse" url="/" statusCode="403"
> statusReason="Forbidden" statusDescription="Forbidden" />
>     </rule>
>   </rules>
> </rewrite>
>
> these are workarounds, not fixes.
>
> I can't reproduce authentication bypass vulnerabilities you mention.
> Also, there is more than one way to password protect a directory. Did
> you disable 'anonymous authentication' in IIS 6.0/7.5, or did you remove
> or deny IUSR-user NTFS permissions on the file system?
>
> Regards,
>
> Jan Reilink
> VEVIDA Services
> http://vevida.com
>

Download attachment "iis_classicasp_bug.png" of type "image/png" (73048 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ