SecurityvulnsSECURITYVULNS:DOC:66DVWSSR.dll Vulnerability in Microsoft IIS 4.0 Web Servers
The following is based on information gleaned from a variety of sources.
According to the Wall Street Journal, the discoverer is an unnamed employee
of ClientLogic.
FYI, my comments to Ted Bridis of WSJ yesterday about the issue were made
with very little info (only the info he was supplied), so for example my
comment that this affects "almost every web hosting provider" was based on
the info that this was an issue on machines with FP installed.
Further information I received after that interview, coupled with
information from RFP (who participated in the discovery I understand) lead
to the information below.
The point is, this is a hole that could allow information to be manipulated
by "others". However, its limited to "others" who already have web authoring
permissions on the same box. One might sign-up with a web hosting provider
who shares boxes and hosts a site you want to attack. You'd have to hope you
got placed on the same server, and that they weren't upgraded to W2K, and
then try and exploit this vulnerability. Beyond that, its another thing to
add to a checklist of things to do only if you are using the NT 4.0 Option
Kit
Issue
A Dynamic Link Library, or .dll, supplied by default to anyone installing
the NT 4.0 Option Kit (NTOK), can be compromised by a user with "Web
Authoring" privilege on the NT 4.0 box. The compromise would permit such a
user to obtain authoring privileges over Active Server Pages (.asp) present
on the box that may belong to owners of other web sites hosted on the same
box.
Example
Web Server, running Microsoft Windows NT 4.0 (only) that has Microsoft
Internet Information Server (IIS) 4.0 installed and any component from the
Microsoft NT 4.0 Option Kit installed is hosting two (or more) web sites
owned by different individuals. Security has been placed on the web server
such that asp files belonging to user A can only be manipulated by user A,
and asp files belonging to user B can only be manipulated by user B.
Via dvwssr.dll, a program installed by default as part of any installation
of NTOK, user A could conceivably manipulate asp files belonging to user B,
or vice-versa.
The possibility of exploitation is limited to users who have already been
granted web authoring permissions on the box (via Front Page Permissions).
Without that permission, no known exploitation is possible.
That is, the average web user is not able to exploit this vulnerability.
Solution
DELETE dvwssr.dll. This program was provided to support Visual Interdev v1.0
only, and only to provide "Link View" information for .asp pages on a site.
Since Visual Interdev v1.0 has been replaced several times since its initial
release (~1995), there should be no further use for dvwssr.dll. Obviously
individuals must assess for themselves the need of this file. However, no
other loss of functionality will occur once this file is removed from a box.
Anyone who deems the program necessary should seriously consider replacing
Visual Interdev v1.0 rather than keeping the dvwssr.dll around.
Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)
Delivery co-sponsored by VeriSign - The Internet Trust Company
Upgrade your server security to 128-bit SSL encryption!