** Digit-Labs Security Advisory (http://www.digit-labs.org/) ** Advisory Name: IIS Administration Web Site redirect exploits Release Date: 25.June-2002 Application: Microsoft Internet Information Server 5.0 Platform: Windows 2000 Professional Severity: Low/Medium Author(s): GoLLuM.no [mailto:gollum@digit-labs.org] Vendor Status: Notified Disclaimer: The content of this advisory is meant only as educational material for website adminstrators and alike. Any kind of illegal use is strongly discuraged! Don't run the embedded Proof-of-concept code; it does actually work, but if you run it will share your X:\ disk to everyone, you dont want that if you have something of value on it. If you still run the code then don't blame me if you get hacked later because you did'nt delete the exploited web that the POC creates ;-) Executive Summary: The default installation of IIS installs an Administration web site. The Administration web site can be exploited by redirection requests to localhost. Detailed Description: Many types of exploits are availible if a web administrator browses a web-page that contains exploit code. New webs can be created, old webs deleted, and permissions altered through a http redirection to the localhost web-server. The user browsing the exploit web-page must be a web-site administrator of some kind. Proof-of-concept: Lets say you browse a website somewhere on the internet (reading a newspaper or whatever), the page you enter has two frames, the first one creates a new web-site on port 31337 of your computer and shares your X: disk, allowing anonymous users to browse and execute files on your computer without your knowledge. The second frame starts the new website service after its created, as it is stopped by default after creation. After running this POC everyone can access your files on X:\ by typing http://www.yourserver.c0m:31337/ in their browser. X:\ is just a suggestion, all drives can be exploited in this way. The port/socket number of the Administration Web site is random and decided at setup. A portscan of the target computer reveals the portnumber. Most installations I have seen are usually in the port/socket range 6000-10000. In the POC I have assumed that the Administration Web site is running on port 6422. !! Don't run this code if you don't know what your are doing !! ----------------------- frame1.htm -----------------------------