** Digit-Labs Security Advisory (http://www.digit-labs.org/) ** Advisory Name: IIS Administration Web Site redirect exploits Release Date: 25.June-2002 Application: Microsoft Internet Information Server 5.0 Platform: Windows 2000 Professional Severity: Low/Medium Author(s): GoLLuM.no [mailto:gollum@digit-labs.org] Vendor Status: Notified Disclaimer: The content of this advisory is meant only as educational material for website adminstrators and alike. Any kind of illegal use is strongly discuraged! Don't run the embedded Proof-of-concept code; it does actually work, but if you run it will share your X:\ disk to everyone, you dont want that if you have something of value on it. If you still run the code then don't blame me if you get hacked later because you did'nt delete the exploited web that the POC creates ;-) Executive Summary: The default installation of IIS installs an Administration web site. The Administration web site can be exploited by redirection requests to localhost. Detailed Description: Many types of exploits are availible if a web administrator browses a web-page that contains exploit code. New webs can be created, old webs deleted, and permissions altered through a http redirection to the localhost web-server. The user browsing the exploit web-page must be a web-site administrator of some kind. Proof-of-concept: Lets say you browse a website somewhere on the internet (reading a newspaper or whatever), the page you enter has two frames, the first one creates a new web-site on port 31337 of your computer and shares your X: disk, allowing anonymous users to browse and execute files on your computer without your knowledge. The second frame starts the new website service after its created, as it is stopped by default after creation. After running this POC everyone can access your files on X:\ by typing http://www.yourserver.c0m:31337/ in their browser. X:\ is just a suggestion, all drives can be exploited in this way. The port/socket number of the Administration Web site is random and decided at setup. A portscan of the target computer reveals the portnumber. Most installations I have seen are usually in the port/socket range 6000-10000. In the POC I have assumed that the Administration Web site is running on port 6422. !! Don't run this code if you don't know what your are doing !! ----------------------- frame1.htm ----------------------------- Exploiting IIS Admin location redirect - Exploit #1

"The secret to creativity is knowing how to hide your sources."

-Albert Einstein ---------------------------------------------------------------- ----------------------- frame2.htm ----------------------------- Exploiting IIS Admin location redirect - Exploit #1

"Reality is merely an illusion, albeit a very persistent one."

-Albert Einstein ---------------------------------------------------------------- ----------------------- frame2.htm ----------------------------- /html> ---------------------------------------------------------------- !! Remember to remove the DigitLabs_exploit from the Webserver when your are finished !! As mentioned there are several other exploits that are possible. As an example a redirection to http://localhost:6422/iiaction.asp?a=del&path=IIS%3A//localhost/W3SVC/1/ROOT/digitlabs&stype=www&vtype=dir&sel=18 would remove a web called "digitlabs" from the webserver if it exists. Before doing any of the above exploit you must make sure that there are valid autorization session cookies. The way to do this is to first do a redirect to the root of the Administration Website, a information box that you are not running in SSL appears, but this only has an Ok button on no Cancel button and will not be able to stop the exploit. Only way to stop the exploit from creating valid session cookies is to kill the browser process in task manager before pressing the Ok button. In the above PoC create a third frame that redirects to the root of the Administration Web and make sure that this frame is executed first. Temporary solution: Disable the Administration Web Site if you don't use it.