infohacking.com
- IIS 6.0 Web Admin Multiple vulnerabilities -
In Microsoft own words:
http://www.microsoft.com/windowsserver2003/iis/evaluation/features/default.mspx
"Web-based administration : The HTML-based IIS Remote Administration Tool enables system
administrators to administer IIS 6.0 remotely across the Internet or intranet, through a Web
browser."
The Web-based administration tool of Internet Information Server 6.0 that comes with Microsoft
Windows 2003 is prone to several HTTP based attacks.
By default, this tool, is installed by the Windows 2003 Web Edition. To access this web interface
the administrator must use SSL and connect to port 9098 of the webserver.
Session tracking
After looking around a litle, we can notice that at least there are three parameters that may be
used to track sessions:
1) a session ID called "__SAPageKey"
2) cookies
3) "Basic Auth"
We don't know exactly how those sessions are tracked, but some strange situations have been detected.
The first scenario where we begin to think that not to mutch effort have been done to enhance
security is the reboot procedure via HTTP web based administration. It is supposed that a reboot
of the system should "reset" any session, that is, after rebooting, why leaving an http session
opened? So after a reboot, the admin still could work on the web admin without being prompted
for athentication.
The second flaw detected on the IIS 6.0 is some anarchy in the use of the ID "__SAPageKey". Some
pages use it and some others doesn't use it. For example,
/admin/default.asp
/admin/tasks.asp
/admin/users/users.asp
can be called without parsing the "__SAPageKey" identifier. This behaviour is dangerous, because
allows an attacker to directly make requests to this URL wihout the needing of any session identifier.
Moreover, the HTML code of the page returned back to the browser contains the identifier, so the
attacker, can use this ID to build more complex requests to pages that require this parameter
(__SAPageKey).
This is a piece of code of the HTML generated by "tasks.asp":
(…)
<script language="javascript">
var SAI_FLD_PAGEKEY = "__SAPageKey";
var g_strSAIPageKey = "D9AA512EEA5BF23B4618CF38637D47EA";
</script>
(…)
In the code of HTML page generated by users.asp, we can notice that the usernames of the system are
showed:
(…)
<INPUT id=radio0 onClick="return OTS_OnItemClicked('Administrador','0');" type=checkbox
value="Administrador" name='TVItem_Table1'>
(…)
<INPUT id=radio1 onClick="return OTS_OnItemClicked('ASPNET','1');" type=checkbox value="ASPNET"
name='TVItem_Table1'>
(…)
<INPUT id=radio2 onClick="return OTS_OnItemClicked('hugo','2');" type=checkbox value="hugo"
name='TVItem_Table1'>
(…)
etc…
screenshot
Another behaviour that helps the attacker is the possibility of keep on a session once the __SAPageKey
identifier has been modified. For example:
If you are at the welcome page:
https://XXX.XXX.XXX.XXX:8099/admin/tasks.asp?tab1=TabsWelcome&__SAPageKey=144906DD67BDC3AF7793D873A02A2F46
screenshot
And you modify the __SAPageKey parameter...
https://XXX.XXX.XXX.XXX:8098/admin/tasks.asp?tab1=TabsWelcome&__SAPageKey=144906DD67BDC3AF7793D873A02A2F00
You will be redirected to:
https://XXX.XXX.XXX.XXX:8098/admin/inc_pagekey.asp
screenshot
This is due to a session timeout or a "client side" attack, for example malicious scripts trying to open
a URL without the correct __SAPageKey parameter… The problem is that the user is not prompted to
authenticate again, instead he can obtain a new session ID only going to the main page. An attacker can
exploit this to make a request directly to /admin/default.asp, /admin/users/users.asp, /admin/tasks.as,
etc and obtain a new session ID and continue the attack.
Cross Site Scripting
An XSS has been detected in the Web Admin interface… yeah, it's true… and the party goes on!
Happy bithday M$! 18 years old, M$ is now a sexy company J
Wouldn't be easy to pay someone for looking around vulnerabilities in major products of M$?
Wouldn't be easy…?
Wouldn't be easy…?
Wouldn't be easy…?
OK. To reproduce the XSS make a request like this:
https://XXX.XXX.XXX.XXX:8098/admin/sh_taskframes.asp?Title=Configuraci%C3%B3n%20de%20registro
%20Web&URL=MasterSettings/Web_LogSettings.asp?tab1=TabsWebServer%26tab2=TabsWebLogSettings%26
__SAPageKey=5742D5874845934A134CD05F39C63240&ReturnURL="><script>alert(document.cookie)
</script>?tab1=TabsWebServer%26__SAPageKey=5742D5874845934A134CD05F39C63240%26
R=0.6756681557204625&R=0.9895845379540951&__SAPageKey=5742D5874845934A134CD05F39C63240
screenshot
Here we are injecting the next code in the "ReturnURL" parameter:
"><script>alert(document.cookie)</script>
More detailed explanation on this XSS will be available soon here -> XSS technical details
System Administrator password can be modified
Via the Web Admin interface an admin it is possible to do a lot of maintenance tasks. One of those
tasks is the change of the admin passswords of the Windows 2003. You can change the password via
the next ASP:
"network/adminpw_prop.asp"
But you will be asked for the old value of the password:
screenshot
But you can also use other ASP:
"users/user_setpassword.asp"
And you will not be asked for the old password value...
screenshot
As you can see, this is a serious flaw that allows an attacker to change the admin password from
an XSS vulnerability… as the one found by Infohacking…
More actions can be done, the limitation to bypass the Basic Auth is on the client side...