BindView RAZOR Team Analysis of DVWSSR.DLL Risks Risks Uncovered: ================ The risks of having dvwssr.dll are not as severe as originally reported in media outlets Friday morning, but still severe enough that system administrators responsible for NT systems to investigate. The risks involve whether or not a certain DLL is loaded, how rights are set, and potentially how Front Page 98 is used. 1. If you have Microsoft NT 4 with the Option Pack loaded and FrontPage 98, you have the vulnerable dvwssr.dll loaded. 2. To run the dll remotely you need to have read access to the dll. This is not assigned by default. Typically on systems with multiple virtual hosts the administrator could have stuck everyone with a virtual host on the system into a group and given that group access to the dll. This would imply that any virtual host maintainer could look at other hosts' files. Obviously a misconfigured host might allow anonymous access, but this would require purposeful actions by the administrator for this to exist. 3. The files in question are asp files. This dll gives you the ability to read asp source, so it is possible that hardcoded user names and passwords to backend systems may be viewed. This is essentially the risk that Rain Forest Puppy found. 4. There exists a buffer overflow in the dvwssr.dll. At offset 0x581811C9 in the DLL is an unchecked lstrcpy. By sending a large string of characters, the dvwssr.dll can be overflowed. By carefully constructing these characters, it is possible to remotely execute commands as "system" which can be used for elevating priviledges. The buffer overflow was uncovered by CoreSDI. 5. In theory if you can get the hash of a user with the access, you can exploit the buffer overflow. This is called "passing the hash", and essentially means that you use the hash without cracking the password to authenticate to the target server. See http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0 for details from RAZOR's Paul Ashton on the basis for this technique. This technique is currently one of the stars of Foundstone's "Hacking Exposed: Live" presentations being put on by George Kurtz and Eric Schultze at security shows around the globe. Certainly in theory this could be adapted to this exploit. 6. Sniffing the NT LanMan password hash being sent by a legitimate FP98 user using L0phtcrack, and subsequently cracking the password would certainly give you the proper access to run the dll, and therefore elevate priviledges. This would of course mean that the sniffer would have to be located between the legit user and the target server, but is not beyond the realm of possibility. Detection of the DLL: ===================== Detection is quite simple. The following examples use NetCat: Example 1: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice) HTTP/1.0 500 Server Error (The system could not find the environment option that was entered. ) The 500 error means dvwssr.dll is not present. Example 2: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice) HTTP/1.0 401 Access Denied The 401 error means dvwssr.dll is present but you do not have the rights to it. Example 3: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice) Connection closed by foreign host. The connection closed means that you had the rights to run the DLL, but since no parameters were passed the connection was completed. Users of BindView's HackerShield can use the Rapid Fire Update released on the evening of April 14 to detect the presense of the DLL on their systems they manage. Elimination of Vulnerability: ============================= Microsoft's original recommendation of removal of the DLL still stands as this eliminates the vulnerability completely. See http://www.microsoft.com/technet/security/bulletin/ms00-025.asp for details. Credits ======= The technical details in this analysis were provided by Todd Sabin and Paul Ashton of BindView's RAZOR team (in addition to information made public by Rain Forest Puppy and CoreSDI). - Simple Nomad - No rest for the Wicca'd - - thegnome@nmrc.org - www.nmrc.org - - thegnome@razor.bindview.com - razor.bindview.com -