Index Service Exposes File System
Reported January 27, 2000 by David Litchfield
VERSIONS AFFECTED
  • Microsoft Index Server 2.0
  • Indexing Service in Windows 2000

DESCRIPTION

According to Microsoft"s report, David Litchfield discovered problems with with Microsoft"s Index Server. Quoting from the report, "The first vulnerability could allow a malicious user to view -- but not to change, add or delete -- files on a web server. The second vulnerability could reveal where web directories are physically located on the server.

\[The newly released\] patch eliminates two vulnerabilities whose only relationship is that both occur in Index Server. The first is the "Malformed Hit-Highlighting Argument" vulnerability. The ISAPI filter that implements the hit-highlighting (also known as "WebHits") functionality does not adequately constrain what files can be requested. By providing a deliberately-malformed argument in a request to hit-highlight a document, it is possible to escape the virtual directory. This would allow any file residing on the server
itself, and on the same logical drive as the web root directory, to be
retrieved regardless of permissions.

The second vulnerability involves the error message that is returned when a user requests a non-existent Internet Data Query (.IDQ) file. The error message provides the physical path to the web directory that was contained in the request. Although this vulnerability would not allow a malicious user to alter or view any data, it could be a valuable reconnaissance tool for mapping the file structure of a web server."

The following text is the advisory released by David Litchfield:

======

BEGIN ADVISORY

==

Cerberus Information Security Advisory (CISADV000126)
http://www.cerberus-infosec.co.uk/advisories.html

Released : 26th January 2000
Name : Webhits.dll buffer truncation
Affected Systems: Microsoft Windows NT 4 running Internet Information
Server 4 All service Packs
Issue : Attackers can access files outside of the web virtual
directory system and view ASP source
Author : David Litchfield (mnemonix@globalnet.co.uk)
Microsoft Advisory :
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp

Internet Information Server 4.0 ships with an ISAPI application webhits.dll
that provides hit-highlighting functionality for Index Server. Files that
have the extention .htw are dispatched by webhits.dll.

A vulnerability exists in webhits however that allows an attacker to break
out of the web virtual root file system and gain unathorized access to
other files on the same logical disk drive, such as customer databases,
log files or any file they know or can ascertain the path to. The same
vulnerability can be used to obtain the source of Active Server Pages or
any other server side script file which often contain UserIDs and
passwords as well as other sensitive information.

*** WARNING ****
Even if you have no .htw files on your system you"re probably
still vulnerable! A quick test to show if you are vulnerable:
go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw
If you receive a message stating the "format of the QUERY_STRING
is invalid" you _are_ vulnerable. Cerberus Information Security"s
free vulnerability scanner - CIS - now contains a check for this
issue - available from the website http://www.cerberus-infosec.co.uk/
*** WARNING ****

Details
*******
This vulnerability exploits two problems and for the sake of clarity
this section will be spilt into two.

1) If you DO have .htw files on your system
****************************************
The hit-highlighting functionality provided by Index Server allows
a web user to have a document returned with their original search
terms highlighted on the page. The name of the document is passed
to the .htw file with the CiWebHitsFile argument. webhits.dll,
the ISAPI application that deals with the request, opens the file
highlights accordingly and returns the resulting page. Because
the user has control of the CiWebHitsFile argument passed to the
.htw file they can request pretty much anything they want. A secondary
problem to this is the source of ASP and other scripted pages can
be revealed too.

However, webhits.dll will follow double dots and so an attacker is able
to gain access to files outside of the web virtual root.

For example to view the web access logs for a given day the attacker would
build the following URL

http://charon/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../win
nt/system32/logfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Ful
l

Sample .htw files often installed and left on the system are
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/iissamples/exair/search/qfullhit.htw
/iissamples/exair/search/qsumrhit.htw
/iishelp/iis/misc/iirturnh.htw (this .htw is normally restricted to
loopback)

2) If you DON"T have any .htw files on your system
**************************************************
To invoke the webhits.dll ISAPI application a request needs to be made
to a .htw file but if you don"t have any on your web server you might wonder
why you are still vulnerable - requesting a non-existent .htw file will
fail.

The trick is to be able to get inetinfo.exe to invoke webhits.dll but
then also get webhits.dll to access an existing file. We achevie this
by crafting a special URL.

First we need a valid resource. This must be a static file such as a .htm,
.html, .txt or even a .gif or a .jpg. This will be the file opened by
webhits.dll as the template file.

Now we need to get inetinfo.exe to pass it along to webhits for dispatch and
the only way we can do this is by requesting a .htw file.

http://charon/default.htm.htw?CiWebHitsFile=/../../winnt/system32/logfiles/w
3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full

will fail. Obviously. There is no such file on the system with that name.

Notice we"ve now invoked webhits, however, and by placing a specific number
of spaces (%20s) between the exisiting resource and the .htw it is then
possible to trick the web service: The buffer that holds the name of the
.htw
file to open is truncated, causing the .htw part to be removed and therefore
when it comes to webhits.dll attempting to open the file it succeeds and we
are then returned the contents of the file we want to access without there
actually being a real .htw file on the system.


The code is probably doing something similar to this:

FILE *fd;
int DoesTemplateExist(char *pathtohtwfile)
\{

// Just in case inetinfo.exe passes too long a string
// let"s make sure it"s of a suitable length and not
// going to open a buffer overrun vulnerability

char *file;

file = (char *)malloc(250);
strncpy(file,pathtohtwfile,250);
fd = fopen(file,"r");

// Success
if(fd !=NULL)
\{
  return 1;
  \}
  // failed
  else
  \{
  return 0;
  \}
\}

Here webhits.dll "contains" a function called DoesTemplateExist() and is
passed a pointer to a 260 byte long string buffer containing the path to the .htw file to open but this buffer is further reduced in length by the strncpy()
function removing whatever was stored in the last ten bytes (in this case the .htw of the HTTP REQUEST_URI) so when fopen() is called it succeeds. This happens because Windows NT will ignore trailing spaces in a file name.

Solution
********
\[The\] .htw \[file extension\] needs to be unassociated from webhits.dll

To do this open the Internet Server Manager (MMC). In the left hand pane
right click the computer you wish to administer and from the menu that pops
up choose Properties.

From the Master Properties select the WWW Service and then click Edit. The
WWW Service Master properties window should open. From here click on the
Home Directory tab and then click the Configuration button. You should
be presented with an App Mappings tab in the Application Mappings window.
Find the .htw extention and then highlight it then click on remove. If a
confirmation window pops up selected Yes to remove. Finally click on Apply and select all of the child nodes this should apply to and then OK that. Now close all of the WWW Service property windows.

About Cerberus Information Security, Ltd
****************************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the developers of CIS (Cerberus" Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd

=

END ADVISORY

=======

VENDOR RESPONSE

Microsoft has released a FAQ, Support Online articles Q251170 and Q252463, a patch for Index Server (Intel or Alpha) and a patch for Index Server for Windows 2000.

CREDITS
Discovered by
David Litchfield