NT/Win95 8.3 webserver exploit

Summary
Description:By default, when a file like "verylongname.html" is created, Windows also creates an 8.3 equivalent ("verylo~1.htm" for example). Unfortunately, when people use Win* webservers to restrict access to long directories and files, the webservers often don't check access on the 8.3 equivalents. So people can grab stuff using the 8.3 names.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:Obtain restricted files from NT/Win95 web servers
Vulnerable Systems:IIS 4.0, Netscape Enterprise 3.0x, probably others. Probably ftp servers and so forth too.
Date:8 January 1998
Details


Date: Thu, 8 Jan 1998 21:28:06 -0700
From: Marc Slemko <marcs@ZNEP.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Nifty Security hole on Several NT Based Web Servers

On Thu, 8 Jan 1998, Greg Skafte wrote:

> A collegue of mine discovered a very interesting bug in several Web
> server packages.  if you protect a file that is not 8.3 in its makeup
> you can often access the canonical name without restriction. EG:
>
> if a file named  "somelongfile.htm"  and you protect it then you can
> access somef~1.htm  if somel~1.htm is the canonical name. (don't recall
> the corect NT term). This also applies to directory names as well.
>
> We have notified some of the affected vendors but haven't tested all
> the various NT Web servers.

Microsoft and Netscape have been contacted.

Netscape has apparently ignored me.  Well, either that or they don't like
giving feedback despite the fact that I specifically asked for it and that
once one vendor posts a patch, it is known for all servers.

Microsoft has responded quickly and very well with excellent feedback and
is working on a fix that should be available soon.  Last I knew, the rough
plan was early next week, however that shouldn't be taken as anything
official and may change now that this information has been prematurely
posted.

This information was not supposed to be posted publicly until vendors had
a week or so to make up a fix.  Unfortunately, it's too late for that now.

>
> Know to be affected are IIS 4.0, Netscape Enterprise 3.0x and Website
> Pro don't recall the version.

No.  Website Pro is not impacted, at least in recent versions.  It detects
the attempt and explicitly denies attempts to acccess the short name.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]