Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
CERT Vendor-Initiated Bulletin VB-98.06 - MS_IIS_multiple_data_streams
- From: Jeff Ogden
- Date: Thu Jul 09 09:23:24 1998
FYI. Please pass this information along to others in your organization that
should be aware of this problem.
-Jeff Ogden
Merit
>Date: Wed, 8 Jul 1998 14:19:36 -0400
>From: CERT Bulletin <cert-advisory@cert.org>
>To: cert-advisory@coal.cert.org
>Subject: CERT Vendor-Initiated Bulletin VB-98.06 - MS_IIS_multiple_data_streams
>Reply-To: cert-advisory-request@cert.org
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT* Vendor-Initiated Bulletin VB-98.06
>July 8, 1998
>
>Topic: File Access issue with Internet Information Server
>Source: Microsoft Corporation
>
>To aid in the wide distribution of essential security information, the CERT
>Coordination Center is forwarding the following information from Microsoft.
>Microsoft urges you to act on this information as soon as possible. Microsoft
>contact information is included in the forwarded text below; please contact
>them if you have any questions or need further information.
>
>
>=======================FORWARDED TEXT STARTS HERE============================
>
>Microsoft Security Bulletin (MS98-003)
>
>File Access issue with Internet Information Server
>
>Last Revision: July 8, 1998
>
>Summary
>=======
>Recently Paul Ashton reported an issue on the NTBugtraq mailing
>list (http://www.ntbugtraq.com) that affects Microsoft Internet
>Information Server (IIS). Web clients that connect to IIS can read
>the contents of any NTFS file in an IIS v-root directory to which
>they have been granted "read access". They can read these files
>even if the file is marked for "applications mappings", such as
>used with Active Server Pages scripts.
>
>The purpose of this bulletin is to inform Microsoft customers of this
>issue, its applicability to Microsoft products, and the availability
>of countermeasures Microsoft has developed to further secure its
>customers.
>
>Issue
>=====
>The native Microsoft(r) Windows NT(r) file system, NTFS, supports
>multiple data streams within a file. The main data stream, which stores
>the primary content has an attribute called $DATA. Accessing this NTFS
>stream via IIS from a browser may display the contents of a file that
>is normally set to be acted upon by an Application Mapping.
>
>For example, .ASP files are mapped such that they are executed by
>the Active Server Pages scripting agent on the server, rather than
>simply returning the contents of a file, as is done with standard
>.htm files. Normally direct contents of the these script-mapped
>files should not be returned to the user. However, by requesting the
>file using the its complete data stream name, a web browser could
>obtain the contents of the script file. In some cases, the file
>might contain sensitive information such as embedded passwords or
>other sensitive "business logic" information.
>
>This issue does not give the user, who was able to access the script
>file, the ability to alter the script on the server, or force the server
>to run any arbitrary code. The only exposure here is to the plain text
>contents of the script file.
>
>The issue is a result of how IIS parses filenames. The fix involves
>IIS supporting NTFS alternate data streams by asking Windows NT to
>canonicalize the filename.
>
>For the problem to occur:
> - The user must know the name of the file
> - The ACLs on the file must allow the user read access
> - The file must reside on an NTFS partition
>
>Affected Software Versions
>==========================
> - Microsoft Internet Information Server versions 1.0, 2.0, 3.0, 4.0
> - Microsoft Peer Web Server versions 2.0, 3.0
> - Microsoft Personal Web Server version 4.0 on Windows NT 4.0 Workstation
>
>What Microsoft is Doing
>=======================
>The Microsoft Product Security Response Team has produced a hotfix for
>Microsoft Internet Information Server versions 3.0 and 4.0.
>Additionally, some administrative workarounds are included below.
>
>What customers should do
>========================
>Microsoft strongly recommends that customers using IIS versions 3.0
>and 4.0 should apply the hotfix.
>
>Customers running previous versions of IIS should upgrade to a more
>recent version (3.0 or 4.0).
>
>The following hotfixes are available from the Microsoft FTP download
>server under
>ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/
>
> IIS 3.0 (Intel x86) hotfix /iis3-datafix/iis3fixi.exe
> IIS 3.0 (Alpha) hotfix /iis3-datafix/iis3fixa.exe
>
> IIS 4.0 (Intel x86) hotfix /iis4-datafix/iis4fixi.exe
> IIS 4.0 (Alpha) hotfix /iis4-datafix/iis4fixa.exe
>
>As localized versions of this hotfix are produced, they will appear
>in the respective language directories under
>ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/(lang)/security
>
>Administrative workaround
>=========================
>Customers who cannot apply the hot fix can use the following workaround
>to temporarily address this issue:
>
>Normally, web users do not need "read" access to script files, such
>as .ASP files. They simply need "execute" permissions. Removing "read"
>access to these files for non-administrative users will remove this
>exposure.
>
>For additional protection, the Application Maps can be modified in
>IIS 4.0 to take into account the existence of the alternate data
>streams. More details on this workaround are available in the
>Microsoft Knowledge Base article Q188806 (see the "More Information"
>section below for the URL).
>
>In addition, the following practices can help to further improve
>security for your IIS servers:
>
> - Periodically review the users and groups who have access to the web
> server: Review the users and groups and their permissions to ensure
> that only valid users have the appropriate permissions.
> - Use auditing to detect for suspicious activity: Apply auditing
> controls on sensitive files and review these logs periodically to
> detect suspicious or unauthorized behavior.
> - Set "read" and "execute" permissions appropriately: ASP and other
> script files do not need to be readable by users that access them
> through IIS, rather they need to be executable. Thus, it is
> advisable to remove "read" access from these files for normal users.
>
>More Information
>================
>Please see the following references for more information related to
>this issue.
>
> - Microsoft Security Bulletin 98-003, File Access issue with Internet
> Information Server (the web-posted version of this bulletin),
> http://www.microsoft.com/security/bulletins/ms98-003.htm
> - Microsoft Knowledge Base article Q188806, NTFS Alternate Data Stream
> Name of a File May Return Source,
> http://support.microsoft.com/support/kb/articles/q188/8/06.asp
> - Microsoft Knowledge Base article Q105763, HOWTO: Use NTFS Alternate
> Data Streams,
> http://support.microsoft.com/support/kb/articles/q105/7/63.asp
>
>Revisions
>=========
>July 2, 1998: Bulletin Created
>July 6, 1998: Updated information on the availability of hotfix for IIS
> 4.0 and Alpha version as well. Added additional information
> on workaround, and more thorough issue description.
>July 8, 1998: Updated to include information about localized versions of
> the hotfix. Updated information about products affected.
>
>For additional information on security with Microsoft products, please visit
>http://www.microsoft.com/security
>
>===============================================================================
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
> WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
> INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
> IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
>POSSIBILITY
> OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
> LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
> MAY NOT APPLY.
>
>(c) 1998 Microsoft and/or its suppliers. All rights reserved.
>For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.
>
>
>
>
>========================FORWARDED TEXT ENDS HERE=============================
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident Response
>and Security Teams (FIRST). See http://www.first.org/team-info/.
>
>We strongly urge you to encrypt any sensitive information you send by email.
>The CERT Coordination Center can support a shared DES key and PGP. Contact
>the CERT staff for more information.
>
>Location of CERT PGP key
> ftp://ftp.cert.org/pub/CERT_PGP.key
>
>
>CERT Contact Information
>- ------------------------
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>CERT publications, information about FIRST representatives, and other
>security-related information are available from
> http://www.cert.org/
> ftp://ftp.cert.org/pub/
>
>CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
>To be added to our mailing list for CERT advisories and bulletins, send your
>email address to
> cert-advisory-request@cert.org
>In the subject line, type
> SUBSCRIBE your-email-address
>
>
>
>* Registered U.S. Patent and Trademark Office.
>
>The CERT Coordination Center is part of the Software Engineering
>Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.
>
>
>This file:
>ftp://ftp.cert.org/pub/cert_bulletins/VB-98.06.MS_IIS_multiple_data_streams
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNaOvoXVP+x0t4w7BAQFxiQQAmGFSB10SoqYf53dQ5927qpLVxw0GYCjF
>a3/23OnMoakrr31asAaO9a/Lm1J+qP95hXWiT+rP2aykpBYoSnaX6SXaYiBG6h1l
>3WP2NLksz36eJiitD/mkURLUV9oWhlRL6h9hHavRCW8/+mvykwOWtmy1DOHNsb4n
>2v+7eZFd/Io=
>=jvb4
>-----END PGP SIGNATURE-----
>
|
