IIS 5.0 cross site scripting vulnerability
Posted on 22.8.2000


Georgi Guninski security advisory #19, 2000

IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll

This advisory describes two vulnerabilites (one is already fixed by Microsoft) but I decided to put them together.

Systems affected:
IIS 5.0/Windows 2000. Exploited with browser (IE,NC) but the problem is in the web server.
For the /_vti_bin/shtml.dll vulnerability FrontPage server extensions must be installed, but FrontPage Service Release 1.2 fixes the bug. Probably other versions OSes - not tested.

Risk: Medium
Date: 21 August 2000

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof.

Description:
Using specially designed URLs, IIS 5.0 may return user specified content to the browser. This poses great security risk, especially if the browser is JavaScript enabled and the problem is greater in IE. By clicking on links or just visiting hostile web pages the target IIS sever may return user defined malicous active content. This is a bug in IIS 5.0, but it affects end users and is exploited with a browser.

Issues:
1) .shtml files - specially designed urls involving .shtml files may return hostile content
2) /_vti_bin/shtml.dll - specially designed urls may return hostile content (this issue is already fixed by Microsoft)

Details:

Both issues takes advantage of an unescaped error message return by IIS or FrontPage Extensions.

1)
The following URL:
---------------------------
http://iis5server/< SCRIPT>alert('document.domain='+document.domain)< /SCRIPT>.shtml
---------------------------
executes in the browser javascript provided by "iis5server" but defined
by a (malicous) user.
The URL may be used in a link or a script.
2) The following URL:
---------------------------
http://iis5server/_vti_bin/shtml.dll/< SCRIPT>alert('document.domain='+document.domain)< /SCRIPT>
---------------------------
executes in the browser javascript provided by "iis5server" but defined by a (malicous) user.
The URL may be used in a link or a script.

The cross site scripting issue is known since long time, it had great publicity in February 2000.
For information of the general problem, see the following documents:

CERT� Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests:
http://www.cert.org/advisories/CA-2000-02.html

Cross-site Scripting Overview (by Microsoft):
http://microsoft.com/technet/security/CSOverv.asp

Some malicous things that be done with this vulnerability in web sites running IIS, assuming JavaScript is enabled in the browser:
1) Reading the documents on web servers inside a firewall (in the intranet).
2) Stealing cookies - great danger.
3) For IE: if the user has put a web site in the "Trusted sites" zones, other browser attacks may be launched.
4) Others.

At the time of writing this www.microsoft.com is vulnerable to issue 1. Demonstration is available at: (note: I believe Microsoft shall fix this very soon and the demo shall stop working):
http://www.nat.bg/~joro/iisshtml.html

Solution: Issue 2 is fixed by Microsoft with Frontpage Server Extensions Service Release 1.2 available for download from http://msdn.microsoft.com

Regards,
Georgi Guninski
http://www.nat.bg/~joro