************************************************************************** Security Bulletin 9814 DISA Defense Communications System July 9, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Vendor-Initiated Bulletin VB-98.06 July 8, 1998 Topic: File Access issue with Internet Information Server Source: Microsoft Corporation To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Microsoft. Microsoft urges you to act on this information as soon as possible. Microsoft contact information is included in the forwarded text below; please contact them if you have any questions or need further information. =======================FORWARDED TEXT STARTS HERE============================ Microsoft Security Bulletin (MS98-003) File Access issue with Internet Information Server Last Revision: July 8, 1998 Summary ======= Recently Paul Ashton reported an issue on the NTBugtraq mailing list (http://www.ntbugtraq.com) that affects Microsoft Internet Information Server (IIS). Web clients that connect to IIS can read the contents of any NTFS file in an IIS v-root directory to which they have been granted "read access". They can read these files even if the file is marked for "applications mappings", such as used with Active Server Pages scripts. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== The native Microsoft(r) Windows NT(r) file system, NTFS, supports multiple data streams within a file. The main data stream, which stores the primary content has an attribute called $DATA. Accessing this NTFS stream via IIS from a browser may display the contents of a file that is normally set to be acted upon by an Application Mapping. For example, .ASP files are mapped such that they are executed by the Active Server Pages scripting agent on the server, rather than simply returning the contents of a file, as is done with standard .htm files. Normally direct contents of the these script-mapped files should not be returned to the user. However, by requesting the file using the its complete data stream name, a web browser could obtain the contents of the script file. In some cases, the file might contain sensitive information such as embedded passwords or other sensitive "business logic" information. This issue does not give the user, who was able to access the script file, the ability to alter the script on the server, or force the server to run any arbitrary code. The only exposure here is to the plain text contents of the script file. The issue is a result of how IIS parses filenames. The fix involves IIS supporting NTFS alternate data streams by asking Windows NT to canonicalize the filename. For the problem to occur: - The user must know the name of the file - The ACLs on the file must allow the user read access - The file must reside on an NTFS partition Affected Software Versions ========================== - Microsoft Internet Information Server versions 1.0, 2.0, 3.0, 4.0 - Microsoft Peer Web Server versions 2.0, 3.0 - Microsoft Personal Web Server version 4.0 on Windows NT 4.0 Workstation What Microsoft is Doing ======================= The Microsoft Product Security Response Team has produced a hotfix for Microsoft Internet Information Server versions 3.0 and 4.0. Additionally, some administrative workarounds are included below. What customers should do ======================== Microsoft strongly recommends that customers using IIS versions 3.0 and 4.0 should apply the hotfix. Customers running previous versions of IIS should upgrade to a more recent version (3.0 or 4.0). The following hotfixes are available from the Microsoft FTP download server under ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/ IIS 3.0 (Intel x86) hotfix /iis3-datafix/iis3fixi.exe IIS 3.0 (Alpha) hotfix /iis3-datafix/iis3fixa.exe IIS 4.0 (Intel x86) hotfix /iis4-datafix/iis4fixi.exe IIS 4.0 (Alpha) hotfix /iis4-datafix/iis4fixa.exe As localized versions of this hotfix are produced, they will appear in the respective language directories under ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/(lang)/security Administrative workaround ========================= Customers who cannot apply the hot fix can use the following workaround to temporarily address this issue: Normally, web users do not need "read" access to script files, such as .ASP files. They simply need "execute" permissions. Removing "read" access to these files for non-administrative users will remove this exposure. For additional protection, the Application Maps can be modified in IIS 4.0 to take into account the existence of the alternate data streams. More details on this workaround are available in the Microsoft Knowledge Base article Q188806 (see the "More Information" section below for the URL). In addition, the following practices can help to further improve security for your IIS servers: - Periodically review the users and groups who have access to the web server: Review the users and groups and their permissions to ensure that only valid users have the appropriate permissions. - Use auditing to detect for suspicious activity: Apply auditing controls on sensitive files and review these logs periodically to detect suspicious or unauthorized behavior. - Set "read" and "execute" permissions appropriately: ASP and other script files do not need to be readable by users that access them through IIS, rather they need to be executable. Thus, it is advisable to remove "read" access from these files for normal users. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin 98-003, File Access issue with Internet Information Server (the web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-003.htm - Microsoft Knowledge Base article Q188806, NTFS Alternate Data Stream Name of a File May Return Source, http://support.microsoft.com/support/kb/articles/q188/8/06.asp - Microsoft Knowledge Base article Q105763, HOWTO: Use NTFS Alternate Data Streams, http://support.microsoft.com/support/kb/articles/q105/7/63.asp Revisions ========= July 2, 1998: Bulletin Created July 6, 1998: Updated information on the availability of hotfix for IIS 4.0 and Alpha version as well. Added additional information on workaround, and more thorough issue description. July 8, 1998: Updated to include information about localized versions of the hotfix. Updated information about products affected. For additional information on security with Microsoft products, please visit http://www.microsoft.com/security =============================================================================== THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). See http://www.first.org/team-info/. We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address * Registered U.S. Patent and Trademark Office. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U. S. Department of Defense. This file: ftp://ftp.cert.org/pub/cert_bulletins/VB-98.06.MS_IIS_multiple_data_streams -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNaOvoXVP+x0t4w7BAQFxiQQAmGFSB10SoqYf53dQ5927qpLVxw0GYCjF a3/23OnMoakrr31asAaO9a/Lm1J+qP95hXWiT+rP2aykpBYoSnaX6SXaYiBG6h1l 3WP2NLksz36eJiitD/mkURLUV9oWhlRL6h9hHavRCW8/+mvykwOWtmy1DOHNsb4n 2v+7eZFd/Io= =jvb4 -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.