Great Circle Associates Firewalls
(July 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: MS IIS asp pages
From: Bill Stout <stoutb @ pios . com>
Date: Tue, 29 Jul 1997 09:10:19 -0700
To: dave kaas <dave_kaas @ RL . gov>, firewalls @ greatcircle . com 
The best place to ask is ntsecurity @
 iss .
 net, though depending on the version
of IIS, it is vulnerable to:

 o The dot bug - where active server page URLs ended by a dot returned the
text of the server-side script rather than executing the script, possibly
exposing database passwords, SQL calls, usernames, etc.

 o Buffer overflow - where characters beyond a certain URL length are
executed as console commands.

 o Batch files (.bat) and command files (.cmd) used as server-side scripts
run with SYSTEM priviledge.

 o Redirect - Script files output can be written to a file on the webserver,
such as http://domain.tld/scripts/scriptname%0A%0D>PATH\target.bat will
create an output file 'target.bat''.

 o Truncate - If target.bat exists, the target file will be truncated.

 o If the webserver is installed as a standalone domain, the server becomes
a domain controller.  When the user account IIS_webserver is created, it
becomes a part of the 'DOMAIN USERS' group.  Users connecting in as
'ANONYMOUS' run as 'IIS_webserver', which now runs .ASP files with 'DOMAIN
USERS' priviledges, instead of the intended 'ANONYMOUS' user.

Other NT vulnerabilites such as IP Fragmentation attacks on a system behind
a packet filter firewall can be found at http://www.ntsecurity.net/ (was my
old ntexploits list). ;)  Also see http://ntbugtraq.rc.on.ca/ for the
NTbugtraq mailing list, and http://www.iss.net/ for the ntsecurity mailing list.

You can also search the Microsoft Knowledge Base for 'IIS' or 'ntsecurity'.

Bill Stout



At 02:31 PM 7/28/97 -0700, dave kaas wrote:
>This may not be the right place to post this, and if not I apologize.
>
>I have seen several descriptions of security problems with CGI script
>and server side includes on web pages but have seen nothing on IIS asp
>pages.  What kind of security problems, if any, exist on asp pages?  I
>would think they would be similar to server side includes?
>
>thank you.
>
>
>-- 
> Dave Kaas                 Internet: dave_kaas @
 rl .
 gov
> Lockheed Martin Services   Phone:    (509) 376-6386
> United States Department of Energy, Richland, WA
>
Indexed By Date Previous: RE: (related, but off-topic) Networking Profession...
From: Craig Ward <cward @ Sierrasys . com>
Next: Microsoft's Authenticode technology
From: Larry . Riley @ disclosure . com (Larry Riley)
Indexed By Thread Previous: MS IIS asp pages
From: dave kaas <dave_kaas @ RL . gov>
Next: Filtering FDDI internet feed
From: Bill Stout <stoutb @ pios . com>
Google
 
Search Internet Search www.greatcircle.com