IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll
This advisory describes two vulnerabilites (one is already fixed by Microsoft) but I decided to put them together.
Systems affected:
IIS 5.0/Windows 2000. Exploited with browser (IE,NC) but the problem
is in the web server.
For the /_vti_bin/shtml.dll vulnerability FrontPage server extensions
must be installed, but FrontPage Service Release 1.2 fixes the bug.
Probably other versions OSes - have not tested. IIS 4.0 is reported
to be vulnerable
Risk: Medium
Date: 21 August 2000
Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified. You may not modify it and distribute it or distribute parts
of it without the author's written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and
not of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect
use of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Using specially designed URLs, IIS 5.0 may return user specified content
to the browser.
This poses great security risk, especially if the browser is JavaScript
enabled and the problem is greater in IE.
By clicking on links or just visiting hostile web pages the target
IIS sever may return user defined malicous active content.
This is a bug in IIS 5.0, but it affects end users and is exploited
with a browser.
Issues:
1) .shtml files - specially designed urls involving .shtml files may
return hostile content
2) /_vti_bin/shtml.dll - specially designed urls may return hostile
content (this issue is already fixed by Microsoft)
Details:
Both issues takes advantage of an unescaped error message return by IIS or FrontPage Extensions.
1)
The following URL:
---------------------------
http://iis5server/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml
---------------------------
executes in the browser javascript provided by "iis5server" but defined
by a (malicous) user.
The URL may be used in a link or a script.
2) The following URL:
---------------------------
http://iis5server/_vti_bin/shtml.dll/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>
---------------------------
executes in the browser javascript provided by "iis5server" but defined
by a (malicous) user.
The URL may be used in a link or a script.
The cross site scripting issue is known since long time, it had great
publicity in February 2000.
For information of the general problem, see the following documents:
CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client
Web Requests:
http://www.cert.org/advisories/CA-2000-02.html
Cross-site Scripting Overview (by Microsoft):
http://microsoft.com/technet/security/CSOverv.asp
Some malicous things that be done with this vulnerability in web sites
running IIS, assuming JavaScript is enabled in the browser:
1) Reading the documents on web servers inside a firewall (in the intranet).
2) Stealing cookies - great danger.
3) For IE: if the user has put a web site in the "Trusted sites" zones,
other browser attacks may be launched.
4) Others.
At the time of writing this www.microsoft.com is vulnerable to issue
1.
Demonstration is available at: (note: I believe Microsoft shall fix
this very soon and the demo shall stop working):
http://www.guninski.com/iisshtml.html
Solution: Issue 2 is fixed by Microsoft with Frontpage Server Extensions Service Release 1.2 available for download from http://msdn.microsoft.com