Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202)

[mnemonix () GLOBALNET CO UK (Mnemonix)]

Cerberus Information Security Advisory (CISADV000202)
http://www.cerberus-infosec.co.uk/advisories.html

Released: 2nd February 2000
Name: IDQ
Affected Systems : Microsoft Windows NT 4 running Internet Information
                             Server 3 or 4
Issue: Attackers can access files outside of the web
virtual
                             directory system
Author: David Litchfield (mnemonix () globalnet co uk)

Description
*********
Any web site running Internet Information Server 3 or 4 and
using Internet Data Query files to provide search functionality on the site
may be exposed. IIS also comes with some sample IDQ scripts that are
vulnerable so any website with these sample files left on are at risk.
Using these IDQ scripts or even custom scripts it is possible to break
outside of the web virtual root and gain unathorized access to files,
such as log files and in certain cases the backup version
of the Security Accounts Manager (sam._)

It does require for the attacker to know the path to the file, for the file
to be on the same logical disk drive as the IDQ file and for ACL to allow
read access to the anonymous Internet account or the Everyone/guests group.

Details
*****
The extent of this security hole depends upon whether the recent "webhits"
patch
has been installed. See
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
If the patch has been installed there is still a vulnerability - however,
those that
have not installed this patch are most at risk. Microsoft are re-releasing
this advisory
and the updated patch. Please note that Windows 2000 does not seem to be
vulnerable to
this. Cerberus' vulnerability scanner, CIS, has now been updated to check
for this issue.
For those that already have a copy of the scanner you can download the
updated module
from http://www.cerberus-infosec.co.uk/webscan.dll - however those that do
not yet have
the scanner, if you would like a copy please go to
http://www.cerberus-infosec.co.uk/ and follow
the Cerberus Internet Scanner link on the frontpage.

If the "webhits" patch HAS NOT been installed
************************************
Any idq file that resolves remote user input for any part of the template
file is dangerous.
eg: CiTemplate = %TemplateName%

The ISAPI application that deals with IDQ queries is idq.dll and it will
follow double dots in paths to template files, meaning an attacker can
break out of the web root. If the idq file appends .htx to the CiTemplate
eg: CiTemplate=/iissamples/issamples/%TemplateName%.htx

some may think this will limit attackers to viewing only .htx files. Not so.
Quoting from the Index Server documentation (/iishelp/ix/htm/ixidqhlp.htm),
"Index Server does not support physical paths longer than the Windows NT
shell limit (260 characters)."  Due to this limit it is possible to append
lots of spaces onto the name of the file we want to read and thereby
pushing the .htx out of the buffer and we're served back the file.

IDQ files known to be at risk in one way or another:

prxdocs/misc/prxrch.idq
iissamples/issamples/query.idq
iissamples/exair/Search/search.idq
iissamples/exair/Search/query.idq
iissamples/issamples/fastq.idq

There are may be more.

If the "webhits" patch HAS been installed
*******************************
Machines that have had the patch installed will only be vulnerable if the
IDQ file does not specify a .htx extention
eg:
CiTemplate = %TemplateName%
and
CiTemplate = /somedir/otherdir/%TemplateName%
are vulnerable whereas
CiTemplate = /somedir/otherdir/%TemplateName%.htx
is not vulnerable.

Solution:
*******
Review your IDQ files to determine if you are at risk. If so edit them
and use hardcoded template files. eg

CiTemplate=%TemplateName%
to
CiTemplate=/your-virtual-directory/your-htx-file.htx

and then edit your search form to reflect this change.
Remove any sample files from the system - not just
idq files. Apply the updated patch.

About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of  "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 40 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd