[ from http://www.rootshell.com/ ] From mnemonix@globalnet.co.uk Sun Jul 12 17:42:29 1998 Date: Mon, 13 Jul 1998 01:31:11 +0100 From: Mnemonix To: info@rootshell.com Subject: New Perl.exe, IIS exploit Russ Cooper of ntbugtraq seems unwilling to publish this information - perhaps it shows how to exploit this too much: **************************************************************************** All versions of Internet Information Server seem to have a feature that can cause security problems when it has been configured to run Perl scripts to produce dynamic web pages, although really it is a combination of IIS and the Perl command interpreter (Perl.exe) acting together that can cause this hole. Basically the security implications of this problem is that data can be read from execute only virtual directories sometimes leading to the discovery of UserIDs and passwords. Script extentions (in this case .cgi or .pl) are mapped against the interpreter in the registry under the following key: HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap When the web service receives a request from a browser it checks the extention of the file requested and deals with it accordingly. In this case if a .pl or .cgi file is requested IIS checks the registry to see what interpreter should deal with that kind of file and then passes the requested information to the interpreter, perl.exe. This is the "fault" of IIS : that it does not check to see whether the file actually exists or not; it just blindly passes the information to the interpreter. IIS leaves this responsibilty to the interpreter. The second part of this problem is caused by the interpreter : perl.exe. Perl.exe will open and try to execute any file that actually exists as long as it has the extention .pl (if that is the registered extention.) Consequently if a space (%20) and .pl is appended to the end of a URL Internet Information Server will pass the request to perl.exe which will then open the file and try to execute it: http://www.site.com/scripts/file.ext%20.pl To demonstrate how this could be a problem : Some CGI scripts often require a .txt file that contains a userID and password such as wwwboard.cgi. Create a text file with two lines. On the first line type "Webadmin" and on the secondline type "Password". Like so: Webadmin Password And name the file pass.txt the request the following URL: http://www.site.com/scripts/pass.txt%20.pl You should receive a response similar to : Can't call method "webadmin" in empty package "password" at C:\InetPub\scripts\pass.txt line 1 You can also glean information from other "sensitive" files such as .asp or .idc http://www.site.com/scripts/default.asp%20.pl or http://www.site.com/scripts/database.idc You could even run old perl scripts that are still in the /scripts directory but have had their extention changed: http://www.site.com/scripts/script.pl.old%20.pl This problem is exacerbated by the fact that perl.exe will accept willcards such as * and ? so you don't even need to know that name of a file. You can request : http://www.site.com/scripts/*.txt%20.pl and perl.exe will open the first text file in the scripts directory that it comes across. This was tested with Perl version 5.001 build 110. It is not yet known if other versions are affected. Testing would be appreciated. Affected machines: NT Server 4.0 Service pack 1 IIS 2.0 NT Server 4.0 Service pack 3 IIS 3.0 NT Server 4.0 Service pack 3 IIS 4.0 NT Wkst 4.0 Service pack 3 PWS 3.0 It is not yet know if other Web servers such as Netscape are affected. Again testing will prove if this is so and would be appreciated. The solution to this problem is to use the ISAPI interpreter instead : PerlIS.dll. This leads to better performance anyway as the script is run in the same memory space as IIS and only one instance of it ever needs to be loaded into memory unlike perl.exe where for each script requested a new instance of perl.exe is loaded into its own memory space. Mnemonix http://www.users.globalnet.co.uk/~mnemonix **************************************************************************** Thought you might be interested. Cheers. Mnemonix http://www.users.globalnet.co.uk/~mnemonix