OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: dvwssr.dll (Has anyone verified whether is is valid?)
From: Blue Boar (BlueBoarTHIEVCO.COM)
Date: Fri Apr 14 2000 - 23:05:55 CDT


If folks would like to discuss this, I'd like to ask some specific
questions. I've never used the FP extensions, so allow me to ask the
dumb questions. I also don't have an IIS server handy to test with.

What normal/valid purpose does the dvwssr.dll have? From what I gather,
since the weenie string is in both the client and server pieces, this
is used in uploading stuff to the web server?

From rfp's code (and a bunch of my questions assume his code works
at least partially as advertised):

$url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file)."
HTTP/1.0\n\n";

Only the filename is encoded... it's not like the whole communication is
scrambled in some way. What's the purpose of that? If it's all a
permission issue, why scramble the filename?

I assume one normally needs a username and password (or x.509 cert,
maybe?) to use FP legitimately. I.e. if I'm using a FP-enabled hosting
service, they should have assigned me some authentication stuff, right?

Rfp's advisory makes mention of legitimate users being able to access
other users' files. This would imply that I authenticate as myself
first. I see no such authentication mechanism in his code. Does
this code work against really poorly administered FP servers or
something?

What user context does FP normally run under? I would expect it to run
as me, having more or less "logged in" as me when I authenticated to
it... This is so normal NT permissions would be enforced. Marc
mentions being able to upload arbitrary code... but am I still
only executing as me? I.e. on a properly admin'd server, can I only screw
myself/my site?

Following up on that thought, what user do you get to be when twiddling
with dvwssr.dll?

What user does the CordSDI exploit get me?

Assuming that I only get rights to my own files, is the getting
other people's .asp files and such due to stupid NTFS perms?

Is there something that makes it impractical to use NTFS perms, like
if I'm hosting 10,000 sites, does that mean I'm also trying to
admin 10,000 NT accounts?

If it's just bad perms, then why all the trouble to do the encoding thing?
Wouldn't i just be able to use a stock FP install to grab whatever files I
want?

                                                BB