Archive of CERT general posting, CERT Advisory CA-98.04 - NT.WebServers

07/02/98, CERT Advisory CA-98.04 - NT.WebServers
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@coal.cert.org
Subject: CERT Advisory CA-98.04 - NT.WebServers
From: CERT Advisory <cert-advisory@cert.org>
Date: Fri, 6 Feb 1998 13:48:10 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-98.04
Original issue date: Feb. 06, 1998
Last revised: --

Topic: Microsoft Windows-based Web Servers unauthorized access - long file
       names
- -----------------------------------------------------------------------------

An exploitation involving long file names on Microsoft Windows-based web
servers has recently been described on public mailing lists. When files on the
web server have names longer than 8.3 (8 characters plus a 3-character
extension), users can gain unauthorized access to files protected solely
by the web server.

The CERT/CC team recommends installing patches from your vendor (see Section
III.A and the appendix). Until you are able to do so, we urge you to use the
workaround described in Section III.B.

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     All 32-bit Microsoft Windows operating systems (commonly known as Win32)
     can associate two different file names with a stored file, a short name
     and a long name. The short version, known as 8.3-compliant, is restricted
     to a length of 8 characters and an extension of 3 characters. This
     version is required for backward compatibility with DOS. The long version
     of the file name is not restricted to the 8.3-compliant format but is
     restricted to a total length of 255 characters.

     When Win32 stores a file with a short name (i.e., 8.3-compliant), it
     associates only that short file name with the file. However, when Win32
     stores a file with a long name (i.e., greater than 8 characters), it
     associates two versions of the file name with the file--the original, long
     file name and an 8.3-compliant short file name that is derived from
     the long name in a predictable manner.

     Example:

       The 8.3-compliant short file name "Abcdefgh.xyz" is represented
                      (1) as is: "Abcdefgh.xyz".

       However, the long file name "Abcdefghijk.xyz" is represented:
                      (1) as is: "Abcdefghijk.xyz" and
                      (2) as 8.3-compliant: "Abcdef~1.xyz".

       Some Win32-based web servers have not compensated for the two file name
       versions when restricting access to files that have long names. The web
       servers attempt to restrict access by building an internal list of
       restricted file names. However, for files with long names, only the
       long, and not the short, file name is added to this internal list. This
       leaves the file unprotected by the web server because the file is still
       accessible via the short file name.

       For example, "Abcdefgh.xyz" (short) would be protected by the web
       server, but "Abcdefghijk.xyz" (long) would not be completely protected
       by the web server.

II.  Impact

     Users are able to gain unauthorized access to files protected solely by
     the web server.

III. Solution

     CERT/CC urges you to immediately apply vendor patches if they are
     available. Until you are able to do so, we urge you to use the
     workaround described in Section B.

     A.  Obtain and install a patch for this problem.

         Appendix A contains input from vendors who have provided information
         for this advisory. We will update the appendix as we receive more
         information. If you do not see your vendor's name, the CERT/CC
         did not hear from that vendor. Please contact your vendor directly.


     B.  Until you are able to install the appropriate patch, we recommend the
         following workaround.

         (1) Use only 8.3-compliant short file names for the files that
             you want to have protected solely by the web server.

         (2) Use NTFS-based ACLs (directory or file level access control
             lists) to augment or replace web server-based security.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.

Apache
======
None of the beta releases of Apache for Win32 are vulnerable to this
particular problem.


Microsoft
=========
Microsoft IIS 4.0 and PWS 4.0 with the appropriate patch are not
vulnerable.

IIS 4.0 and PWS 4.0 maintain certain configuration information about
directories and files in a database called the metabase. The metabase does
not contain file permissions, but rather Web server-specific information
such as requiring SSL encryption, proxy cache setting, and PICS ratings.
Actual file and directory permissions are enforced by NTFS and are not
affected by this problem.

Earlier version of IIS and PWS are not vulnerable to this issue.

Microsoft has made available a market bulletin for this issue that is
available on "Advisories and Solutions" section of the Microsoft Security
Advisor web site, http://www.microsoft.com/security. Please consult this
bulletin for information on obtaining the patch.


National Center for Supercomputing Applications (NCSA)
======================================================
The NCSA HTTPd web server does not run on Windows NT.  Note that HTTPd
is now an unsupported software product of the National Center for
Supercomputing Applications.

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- ----------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key
         ftp://ftp.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

   To be added to our mailing list for advisories and bulletins, send
   email to
        cert-advisory-request@cert.org
   In the subject line, type
        SUBSCRIBE  your-email-address

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: ftp://ftp.cert.org/pub/cert_advisories/CA-98.04.NT.WebServers
           http://www.cert.org/pub/alerts.html



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNNtOTHVP+x0t4w7BAQFYLwQAokJC0MtLJx6U0XkvzhWFrn/MWRF2sHQF
4vzl14jnZuFXGpJZkqruFwwiOUnvgEcQaBMx50pEUpXtSxzCCkSbN/e7tXcDaBvP
2Wny5x7W7QxSXnv/iWchu47t/7JfYYD8Fbn8h7U/nFUduFCXWW1X/9IAxN3q+IdI
10eiUlPtQN0=
=WXHP
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Advisory CA-98.03 - ssh-agent
Next message sorted by date: CERT Advisory CA-98.05 - bind_problems
Previous message sorted by thread: CERT Advisory CA-98.03 - ssh-agent
Next message by thread: CERT Advisory CA-98.05 - bind_problems
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000