From xforce@ISS.NET Mon Aug 31 19:50:12 1998 From: X-Force To: BUGTRAQ@netspace.org Date: Mon, 31 Aug 1998 16:48:16 -0400 Subject: ISS Security Advisory: Executable Directories in IIS 4.0 -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory August 31, 1998 Executable Directories in IIS 4.0 Synopsis: If a non-administrative user can place executable code into a web site directory which allows file execution, the user may be able to run applications which could compromise the web server. Recommended Action: Administrators should verify access permissions on all virtual HTTP server directories that are marked executable. See below for recommended permissions. All security patches that protect against local attacks should be applied to HTTP servers due to the possibility of the server executing code locally. See http://www.microsoft.com/security for details. Description: The following directories are marked executable by default on an install of IIS 4.0: /W3SVC/1/ROOT/msadc /W3SVC/1/ROOT/News /W3SVC/1/ROOT/Mail /W3SVC/1/ROOT/cgi-bin /W3SVC/1/ROOT/SCRIPTS /W3SVC/1/ROOT/IISADMPWD /W3SVC/1/ROOT/_vti_bin /W3SVC/1/ROOT/_vti_bin/_vti_adm /W3SVC/1/ROOT/_vti_bin/_vti_aut In a default install, the physical drive mappings will be: msadc c:\program files\common\system\msadc News c:\InetPub\News Mail c:\InetPub\Mail cgi-bin c:\InetPub\wwwroot\cgi-bin SCRIPTS c:\InetPub\scripts IISADMPWD C:\WINNT\System32\inetsrv\iisadmpwd _vti_bin Not present by default - installed with FrontPage extensions Access to the physical directories can be obtained through drive sharing, remote command shells (e.g., rcmd, telnet, remote.exe), HTTP PUT commands, or FrontPage. None of these methods are available in a default install, but are often added by administrators. The default NTFS permissions are overly permissive, and allow change control (RWXD) to the Everyone group by default, with the exception of msadc which is full control to Everyone. Due to the sensitive nature of these directories, it is recommended that NTFS access permissions should be: Administrators, LocalSystem: Full Control Everyone: Special Access(X) Administrators should closely examine all pathways to access the filesystem, and be aware of all web directories that allow file execution. In addition, if a user is allowed to administer their own site, they may have permission to set a directory to executable. A system administrator should permit only allowed file types to be copied onto a production web site. In addition, ISS highly recommends the security settings detailed in Chapter 8 of the IIS Resource Kit (Microsoft Press). We would like to thank Michael Howard and Jason Garms of Microsoft for their input. - -------- Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNeryDDRfJiV99eG9AQGYRwP7BCn4cv/LRCNEY+mjGtTqBLrzX/HSzyy/ HvmnlwadiYbdp3bHY7TyM0XaqaRY3uIr9RIixaqSPsYLwBZ9pjRhIP+EecpF9oPc mlzJC0DL5f+L/uiL08+DtcRfZQImyNRNkQvTNSzxO4DflwxndEmHizgA6lf49QhX kT+3kigGCAE= =vxrQ -----END PGP SIGNATURE-----