At 6/16/2002 11:19 AM, Armish wrote:

>When i was testing one my pcs about security,The program found a vuln. about
>/_vti_bin/_vti_aut/dvwssr.ddl . What is this file?How can it become a
>risk?How can I close this hole?(Too much questions,ha? :) ....)
>thanks for all answers...

Armish,

According to rain forest puppy's advisory at
http://www.wiretrip.net/rfp/p/doc.asp/i2/d45.htm, "The NT 4 Option Pack
ships with a particular ISAPI .dll in
/_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft
FrontPage extensions (the version I have is 3.0.2.1105). This particular
.dll allows you to read .asp (and .asa) files under the web root, providing
you know the 'password' (obfuscated encoding scheme) of which to ask
it. And, as implied by the title, the constant key used in the encoding is
"Netscape engineers are weenies!"."

Although there was some dispute about the encoding key, Microsoft issued
Security Bulletin MS00-025, which is at
http://www.microsoft.com/technet/security/bulletin/MS00-025.asp, which
states, "Dvwssr.dll is a server-side component used to support the Link
View feature in Visual Interdev 1.0. However, it contains an unchecked
buffer. If overrun with random data, it could be used to cause an affected
server to crash, or could allow arbitrary code to run on the server in a
System context."

You can close the hole by deleting the file, as is recommended by
Microsoft. The only functionality lost is the "ability to generate link
views of .asp pages using Visual Interdev 1.0."

Michael Katz
mikeprocinct.com
Procinct Security

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]