[ISecAuditors Security Advisories] Microsoft IIS5 NTLM and Basic authentication bypass
=============================================
INTERNET SECURITY AUDITORS ALERT 2006-013
- Original release date: December 15, 2006
- Last revised: May 22, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================
I. VULNERABILITY
-------------------------
Microsoft IIS5 NTLM and Basic authentication bypass
II. BACKGROUND
-------------------------
Microsoft Internet Information Server Web Server can protect the
private contents with a basic or NTLM authentication.
Many web pages, intranets and extranets rely on Microsoft security.
IISv5 has a "Hit-highlighting" functionality that opens some site
object and highlights some part of it; that has had a transversal
vulnerability in the past. Now it can be used to bypass the IIS
authentication.
This is poorly documented at KnowledgeBase
http://support.microsoft.com/kb/328832, the real impact is detailed above.
III. DESCRIPTION
-------------------------
Any Internet user can access the private web directories and files of
any IISv5 web, by highlighting it with "Hit-highlighting". To use this
functionality the user has to supply the CiWebhitsfile parameter to
the null.htw object.
The null.htw object has to be accessed from a non-existant directory,
for example http://anyiisweb.com/foo/null.htw
It is possible to use null.htw or other object specified at the
CiTemplate template.
IV. PROOF OF CONCEPT
-------------------------
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.aspx&CiRestriction=b&CiHiliteType=full
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.txt&CiRestriction=b&CiHiliteType=full
V. BUSINESS IMPACT
-------------------------
The impact depends on the web contents. Attackers could gain access to
all protected documents, and ASP code.
When an attacker accesses a trusted zone, the probability to get
command execution is higher.
VI. SYSTEMS AFFECTED
-------------------------
Internet Information Services Version 5, any Service Pack.
VII. SOLUTION
-------------------------
Protect the files from the NTFS filesystem instead of relying on the
IIS protection.
Microsoft recommends not to use IISv5 and update to IISv6.
VIII. REFERENCES
-------------------------
http://support.microsoft.com/kb/328832
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com)
X. REVISION HISTORY
-------------------------
December 15, 2006: Initial release
March 19, 2007: Latest revision
March 27, 2007: First notification to the vendor.
Response: under revision.
April 11, 2007: The vendor considers little changes in their KB.
April 12, 2007: We accept it and propose add comments about the
severity of the problem. Rejected by vendor.
May 21, 2007: Published. As the publish information is
considered really not detailed.
XI. DISCLOSURE TIMELINE
-------------------------
December 15, 2006: Vulnerability acquired by
Jesus Olmos Gonzalez (Internet Security Auditors)
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.