Bugtraq mailing list archives

Re: More Microsoft debri

From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Thu, 23 Apr 1998 14:36:00 -0700


First of all, Frontpage is braindammaged (just have to set the stage).

Ok, Frontpage works like this when you want to publish files:

It tries to GET "http://www.yourdomain.com/_vti_inf.html";.  This file
contains the version of the FP extensions and the path on the server
where the extensions are located.  When you use Frontpage to upload content,
it will try and fetch this file, if it can, it then tries to POST to
"http://www.yourdomain.com/_vti_bin/shtml.exe/_vti_rpc"; (that's the default).

This server binary is not password protected, so it is able to post a query
to it.  The first thing it does is just establish a protocol rev in which the
client and server are going to talk, and what functions the server provides.

If you have any people using Frontpage, it's likely that they FTPed the
_vti_inf.html from their home machine up to your site.  Then they tried
to publish, and it tried HTTP first.  If HTTP fails, it just kicks over to
FTP as the publishing protocol (and notifies the user that they can't use
WebBots and stuff).

Incidentally, I have a passion to hate the FP extensions.  They are fundamentally
stupid in nearly all respects of implementation.

Firsly, they maintain a crapload of meta files (one shadow for every file
managed) then they have all of their config info in a bunch of text files
in the _vti_pvt directory.  (Oh, BTW, there exists a very HUGE privacy hole
in the FP extenstions).  If you go to a site that has FP extensions, just
pick any directory in the URL, yank the filename off, and put "_vti_cnf"
there instead...you'll get a complete listing of all the files in the
real directory.  With this you can snatch files that weren't meant to be
seen by the public...and it's available on ALL FP enabled sites.

Hmm, I've contributed a "privacy bug" now. :)

Want to know an even cooler hack?  Want to break into Frontpage enabled sites?

Just snarf the "administrators.pwd" and "authors.pwd" file in:

"http://www.yourdomain.com/_vti_pvt/administrators.pwd";

That'll net you the password file for the web.  Just convert it properly and run
Crack on it to obtain a useful password for defacing web sites!

Want even more???

Frontpage 98 fucks up the permissions so bad that it makes the _vti_pvt
directory WORLD WRITABLE!!! No shit, you can do whatever you want to stuff
in that directory.

Hmm, I love incompetent nitwits that think they can buy someone elses crappy
Unix shit and sell it as their own!!! :)

Oh, you know why all the directories begin with "VTI"???

"Vermeer Technology Inc". The people the M$ bought for Frontpage. :)

--Perry


i work on the iis team, not fp, but i'll take a stab. the shtml.exe file is
used by the frontpage editor when it wants to upload work from the editor to
the server. this communication is performed using http. the same fp server
extensions (as they are called) are used by visual interdev.

the extensions are not specific to microsoft servers, they are available on
various flavors of unix too. what's possibly happening is someone is using
fp or vid to work on your server. if the fp extensions are not there then
fp/vid will not be able to upload stuff to your server, but you will
probably see a log entry like that listed below from a tool trying to test
if the extensions are loaded on the server.

the link updating theory is interesting, but i don't think that fp tries to
call any executable to verify off-server links. but i'd need to check with
the fp guys... let me know if you want me to persue it...

cheers, mh
mikehow () microsoft com
program manager
iis security


Looking at my Netscape error log on my web servers recently I have found
several entries that look like this:

[08/Apr/1998:08:07:07] config: for host *blah* trying to POST
/_vti_bin/shtml.exe/_vti_rpc, handle-processed reports: no way to service
request for /_vti_bin/shtml.exe/_vti_rpc

Host name removed to protect the -apparently- innocent


The file being posted here is the M$ control file  for servers managed by
"FrontPage."

In the beginning I thought these were all attempts to "take over" my
server
by placing a hacked version of the software in my server.  Since we don't
run NT or 95, for obvious reasons, I was somewhat surprised by the
frequency of such brain dead attacks and even more surprised that it
might work.

Recently I have learned that the M$ software itself attempts to POST to
this file if you attempt to "verify off site links" on a server managed
by this software.

IN-other-words, every time you attempt to verify links to other servers
on your M$ managed
http server, that server will ASSUME that every one is a M$ managed
server and add yet another error entry to their error file.


I have notified M$   -as expected No response-


--
Perry Harrington        System Software Engineer    zelur xuniL  ()
http://www.webcom.com  perry.harrington () webcom com  Think Blue.  /\

Current thread:

More Microsoft debri Lloyd Vancil (Apr 23)
- <Possible follow-ups>
- Re: More Microsoft debri Michael Howard (Apr 23)
  - Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)
    - Re: More Microsoft debri James E. Robinson, III (Apr 23)
  - Another Frontpage Bug, with promiscuous ScriptAliases pedward () WEBCOM COM (Apr 23)
    - Flaw in HTTP-Authentication in O'Reilly Website Pro BarKode (Apr 23)
    - Re: Another Frontpage Bug, with promiscuous ScriptAliases Marc Slemko (Apr 23)
    - How to exploit AlephOne by JP of AntiOnline F0RMiCA (Apr 24)
    - Security Hole in Netscape Enterprise Server 3.0 Daragh Malone (Apr 24)
    - Re: Security Hole in Netscape Enterprise Server 3.0 Matthew Frederick (Apr 24)
    - How to exploit mudge by AlephOne by JP AntiOnline Dr. Mudge (Apr 24)
    - Re: How to exploit mudge by AlephOne by JP AntiOnline Aleph One (Apr 24)