<<< Date Index >>>     <<< Thread Index >>>

[ISecAuditors Security Advisories] Microsoft IIS5 NTLM and Basic authentication bypass



=============================================
INTERNET SECURITY AUDITORS ALERT 2006-013
- Original release date: December 15, 2006
- Last revised: May 22, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================

I. VULNERABILITY
-------------------------
Microsoft IIS5 NTLM and Basic authentication bypass

II. BACKGROUND
-------------------------
Microsoft Internet Information Server Web Server can protect the
private contents with a basic or NTLM authentication.

Many web pages, intranets and extranets rely on Microsoft security.

IISv5 has a "Hit-highlighting" functionality that opens some site
object and highlights some part of it; that has had a transversal
vulnerability in the past. Now it can be used to bypass the IIS
authentication.

This is poorly documented at KnowledgeBase
http://support.microsoft.com/kb/328832, the real impact is detailed above.

III. DESCRIPTION
-------------------------
Any Internet user can access the private web directories and files of
any IISv5 web, by highlighting it with "Hit-highlighting". To use this
functionality the user has to supply the CiWebhitsfile parameter to
the null.htw object.

The null.htw object has to be accessed from a non-existant directory,
for example http://anyiisweb.com/foo/null.htw

It is possible to use null.htw or other object specified at the
CiTemplate template.

IV. PROOF OF CONCEPT
-------------------------
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.aspx&CiRestriction=b&CiHiliteType=full
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.txt&CiRestriction=b&CiHiliteType=full

V. BUSINESS IMPACT
-------------------------
The impact depends on the web contents. Attackers could gain access to
all protected documents, and ASP code.

When an attacker accesses a trusted zone, the probability to get
command execution is higher.

VI. SYSTEMS AFFECTED
-------------------------
Internet Information Services Version 5, any Service Pack.

VII. SOLUTION
-------------------------
Protect the files from the NTFS filesystem instead of relying on the
IIS protection.

Microsoft recommends not to use IISv5 and update to IISv6.

VIII. REFERENCES
-------------------------
http://support.microsoft.com/kb/328832

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com)

X. REVISION HISTORY
-------------------------
December  15, 2006: Initial release
March     19, 2007: Latest revision
March     27, 2007: First notification to the vendor.
                    Response: under revision.
April     11, 2007: The vendor considers little changes in their KB.
April     12, 2007: We accept it and propose add comments about the
                    severity of the problem. Rejected by vendor.
May       21, 2007: Published. As the publish information is
                    considered really not detailed.

XI. DISCLOSURE TIMELINE
-------------------------
December  15, 2006: Vulnerability acquired by
                    Jesus Olmos Gonzalez (Internet Security Auditors)

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.