OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll
From: Georgi Guninski (joroNAT.BG)
Date: Mon Aug 21 2000 - 08:17:10 CDT

Georgi Guninski security advisory #19, 2000

IIS 5.0 cross site scripting vulnerability - using .shtml files or
/_vti_bin/shtml.dll

This advisory describes two vulnerabilites (one is already fixed by
Microsoft) but I decided to put them together.

Systems affected:
IIS 5.0/Windows 2000. Exploited with browser (IE,NC) but the problem is
in the web server.
For the /_vti_bin/shtml.dll vulnerability FrontPage server extensions
must be installed, but FrontPage Service Release 1.2 fixes the bug.
Probably other versions OSes - not tested.

Risk: Medium
Date: 21 August 2000

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:
Using specially designed URLs, IIS 5.0 may return user specified content
to the browser.
This poses great security risk, especially if the browser is JavaScript
enabled and the problem is greater in IE.
By clicking on links or just visiting hostile web pages the target IIS
sever may return user defined malicous active content.
This is a bug in IIS 5.0, but it affects end users and is exploited with
a browser.
Issues:
1) .shtml files - specially designed urls involving .shtml files may
return hostile content
2) /_vti_bin/shtml.dll - specially designed urls may return hostile
content (this issue is already fixed by Microsoft)

Details:

Both issues takes advantage of an unescaped error message return by IIS
or FrontPage Extensions.

1)
The following URL:
---------------------------
http://iis5server/>alert('document.domain='+document.domain)</SCRIPT>.shtml
---------------------------
executes in the browser javascript provided by "iis5server" but defined
by a (malicous) user.
The URL may be used in a link or a script.
2) The following URL:
---------------------------
http://iis5server/_vti_bin/shtml.dll/>alert('document.domain='+document.domain)</SCRIPT>
---------------------------
executes in the browser javascript provided by "iis5server" but defined
by a (malicous) user.
The URL may be used in a link or a script.

The cross site scripting issue is known since long time, it had great
publicity in February 2000.
For information of the general problem, see the following documents:

CERTŪ Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web
Requests:
http://www.cert.org/advisories/CA-2000-02.html

Cross-site Scripting Overview (by Microsoft):
http://microsoft.com/technet/security/CSOverv.asp

Some malicous things that be done with this vulnerability in web sites
running IIS, assuming JavaScript is enabled in the browser:
1) Reading the documents on web servers inside a firewall (in the
intranet).
2) Stealing cookies - great danger.
3) For IE: if the user has put a web site in the "Trusted sites" zones,
other browser attacks may be launched.
4) Others.

At the time of writing this www.microsoft.com is vulnerable to issue 1.
Demonstration is available at: (note: I believe Microsoft shall fix this
very soon and the demo shall stop working):
http://www.nat.bg/~joro/iisshtml.html

Solution: Issue 2 is fixed by Microsoft with Frontpage Server Extensions
Service Release 1.2 available for download from
http://msdn.microsoft.com

Regards,
Georgi Guninski
http://www.nat.bg/~joro