============================================= INTERNET SECURITY AUDITORS ALERT 2006-013 - Original release date: December 15, 2006 - Last revised: May 22, 2007 - Discovered by: Jesus Olmos Gonzalez - Severity: 5/5 ============================================= I. VULNERABILITY ------------------------- Microsoft IIS5 NTLM and Basic authentication bypass II. BACKGROUND ------------------------- Microsoft Internet Information Server Web Server can protect the private contents with a basic or NTLM authentication. Many web pages, intranets and extranets rely on Microsoft security. IISv5 has a "Hit-highlighting" functionality that opens some site object and highlights some part of it; that has had a transversal vulnerability in the past. Now it can be used to bypass the IIS authentication. This is poorly documented at KnowledgeBase http://support.microsoft.com/kb/328832, the real impact is detailed above. III. DESCRIPTION ------------------------- Any Internet user can access the private web directories and files of any IISv5 web, by highlighting it with "Hit-highlighting". To use this functionality the user has to supply the CiWebhitsfile parameter to the null.htw object. The null.htw object has to be accessed from a non-existant directory, for example http://anyiisweb.com/foo/null.htw It is possible to use null.htw or other object specified at the CiTemplate template. IV. PROOF OF CONCEPT ------------------------- https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.aspx&CiRestriction=b&CiHiliteType=full https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.txt&CiRestriction=b&CiHiliteType=full V. BUSINESS IMPACT ------------------------- The impact depends on the web contents. Attackers could gain access to all protected documents, and ASP code. When an attacker accesses a trusted zone, the probability to get command execution is higher. VI. SYSTEMS AFFECTED ------------------------- Internet Information Services Version 5, any Service Pack. VII. SOLUTION ------------------------- Protect the files from the NTFS filesystem instead of relying on the IIS protection. Microsoft recommends not to use IISv5 and update to IISv6. VIII. REFERENCES ------------------------- http://support.microsoft.com/kb/328832 IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com) X. REVISION HISTORY ------------------------- December 15, 2006: Initial release March 19, 2007: Latest revision March 27, 2007: First notification to the vendor. Response: under revision. April 11, 2007: The vendor considers little changes in their KB. April 12, 2007: We accept it and propose add comments about the severity of the problem. Rejected by vendor. May 21, 2007: Published. As the publish information is considered really not detailed. XI. DISCLOSURE TIMELINE ------------------------- December 15, 2006: Vulnerability acquired by Jesus Olmos Gonzalez (Internet Security Auditors) XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.