Re: Alert: RDS IIS vulnerability/fix

[rfp () WIRETRIP NET (.rain.forest.puppy.)]

Wanderley J. Abreu Junior (<storm () unikey com br>):
>     yes, but actually there's a DSN called advworks that is automatically
> configured by RDS Server and don't require password (As you have mencioned
> in the third part of this doc).

Correct, that's why it scans for AdvWorks in Step 3.

> /msadc/samples/SELECTOR/showcode.asp actually there's a way to retrieve the
> ODBC list wich is in  \winnt\odbc.ini.

Now, MDAC 1.5 does *not* install the samples by default.  But considering
that the VbBusObj comes with the samples, I may add this in.  Look for
future code postings at www.technotronic.com/rfp/

>         IIS 3 also has /scripts/tools and /scripts/samples features and

Yes, many of which I report about in my advisory and Phrack articles.
Don't forget /iissamples/ as well, and /scripts/iisadmin/.

> plus! If you enter some maped script extension like http://server/jerk.idc
> it returns to you the exactly directory where the Web page is stored like
>    c:\Inetpub\wwwroot\  even if you handled 404 error to another page. Since

I beleive it's Service Pack 4 that fixes this, and perhaps Service Pack 5
breaks this...I'm trying to pull the discussion from some time ago from my
memory...

All in all, yes, you are correct that there are many ways to figure out
the DSNs.  But I still believe you should do this little bit of legwork
yourself, find a valid DSN, slap it into a text file, and then use the -e
option for Step 5 (user submitted/brute force DSNs).

Cheers,
.rain.forest.puppy.