have you heard about it?

- IIS 6.0 Web Admin Multiple vulnerabilities -



In Microsoft own words:

"Web-based administration : The HTML-based IIS Remote Administration Tool enables system
administrators to administer IIS 6.0 remotely across the Internet or intranet, through a Web 

The Web-based administration tool of Internet Information Server 6.0 that comes with Microsoft
Windows 2003 is prone to several HTTP based attacks.
By default, this tool, is installed by the Windows 2003 Web Edition. To access this web interface
the administrator must use SSL and connect to port 9098 of the webserver.

Session tracking

After looking around a litle, we can notice that at least there are three parameters that may be
used to track sessions:

1)	a session ID called "__SAPageKey"
2)	cookies
3)	"Basic Auth"

We don't know exactly how those sessions are tracked, but some strange situations have been detected.
The first scenario where we begin to think that not to mutch effort have been done to enhance 
security is the reboot procedure via HTTP web based administration. It is supposed that a reboot 
of the system should "reset" any session, that is, after rebooting, why leaving an http session 
opened? So after a reboot, the admin still could work on the web admin without being prompted
for athentication.

The second flaw detected on the IIS 6.0 is some anarchy in the use of the ID "__SAPageKey". Some 
pages use it and some others doesn't use it. For example,


can be called without parsing the "__SAPageKey"  identifier. This behaviour is dangerous, because 
allows an attacker to directly make requests to this URL wihout the needing of any session identifier.
Moreover, the HTML code of the page returned back to the browser contains the identifier, so the 
attacker, can use this ID to build more complex requests to pages that require this parameter 

This is a piece of code of  the HTML generated by "tasks.asp":


<script language="javascript">
var SAI_FLD_PAGEKEY = "__SAPageKey";
var g_strSAIPageKey = "D9AA512EEA5BF23B4618CF38637D47EA";
In the code of HTML page generated by users.asp, we can notice that the usernames of the system are showed: (…)
<INPUT id=radio0 onClick="return OTS_OnItemClicked('Administrador','0');" type=checkbox value="Administrador" name='TVItem_Table1'>
<INPUT id=radio1 onClick="return OTS_OnItemClicked('ASPNET','1');" type=checkbox value="ASPNET" name='TVItem_Table1'>
<INPUT id=radio2 onClick="return OTS_OnItemClicked('hugo','2');" type=checkbox value="hugo" name='TVItem_Table1'>
screenshot Another behaviour that helps the attacker is the possibility of keep on a session once the __SAPageKey identifier has been modified. For example: If you are at the welcome page: https://XXX.XXX.XXX.XXX:8099/admin/tasks.asp?tab1=TabsWelcome&__SAPageKey=144906DD67BDC3AF7793D873A02A2F46 screenshot And you modify the __SAPageKey parameter... https://XXX.XXX.XXX.XXX:8098/admin/tasks.asp?tab1=TabsWelcome&__SAPageKey=144906DD67BDC3AF7793D873A02A2F00 You will be redirected to: https://XXX.XXX.XXX.XXX:8098/admin/inc_pagekey.asp screenshot This is due to a session timeout or a "client side" attack, for example malicious scripts trying to open a URL without the correct __SAPageKey parameter… The problem is that the user is not prompted to authenticate again, instead he can obtain a new session ID only going to the main page. An attacker can exploit this to make a request directly to /admin/default.asp, /admin/users/users.asp, /admin/, etc and obtain a new session ID and continue the attack. Cross Site Scripting An XSS has been detected in the Web Admin interface… yeah, it's true… and the party goes on! Happy bithday M$! 18 years old, M$ is now a sexy company J Wouldn't be easy to pay someone for looking around vulnerabilities in major products of M$? Wouldn't be easy…? Wouldn't be easy…? Wouldn't be easy…? OK. To reproduce the XSS make a request like this: https://XXX.XXX.XXX.XXX:8098/admin/sh_taskframes.asp?Title=Configuraci%C3%B3n%20de%20registro %20Web&URL=MasterSettings/Web_LogSettings.asp?tab1=TabsWebServer%26tab2=TabsWebLogSettings%26 __SAPageKey=5742D5874845934A134CD05F39C63240&ReturnURL="><script>alert(document.cookie) </script>?tab1=TabsWebServer%26__SAPageKey=5742D5874845934A134CD05F39C63240%26 R=0.6756681557204625&R=0.9895845379540951&__SAPageKey=5742D5874845934A134CD05F39C63240 screenshot Here we are injecting the next code in the "ReturnURL" parameter: "><script>alert(document.cookie)</script> More detailed explanation on this XSS will be available soon here -> XSS technical details System Administrator password can be modified Via the Web Admin interface an admin it is possible to do a lot of maintenance tasks. One of those tasks is the change of the admin passswords of the Windows 2003. You can change the password via the next ASP: "network/adminpw_prop.asp" But you will be asked for the old value of the password: screenshot But you can also use other ASP: "users/user_setpassword.asp" And you will not be asked for the old password value... screenshot As you can see, this is a serious flaw that allows an attacker to change the admin password from an XSS vulnerability… as the one found by Infohacking… More actions can be done, the limitation to bypass the Basic Auth is on the client side...
Hugo Vazquez Carames