BindView RAZOR Team Analysis of DVWSSR.DLL Risks

Risks Uncovered:
================

The risks of having dvwssr.dll are not as severe as originally reported in
media outlets Friday morning, but still severe enough that system
administrators responsible for NT systems to investigate. The risks
involve whether or not a certain DLL is loaded, how rights are set, and
potentially how Front Page 98 is used.

 1. If you have Microsoft NT 4 with the Option Pack loaded and FrontPage
98, you have the vulnerable dvwssr.dll loaded.

 2. To run the dll remotely you need to have read access to the dll. This
is not assigned by default. Typically on systems with multiple virtual
hosts the administrator could have stuck everyone with a virtual host on
the system into a group and given that group access to the dll. This would
imply that any virtual host maintainer could look at other hosts' files.
Obviously a misconfigured host might allow anonymous access, but this
would require purposeful actions by the administrator for this to exist.

 3. The files in question are asp files. This dll gives you the ability to
read asp source, so it is possible that hardcoded user names and passwords
to backend systems may be viewed. This is essentially the risk that Rain
Forest Puppy found.

 4. There exists a buffer overflow in the dvwssr.dll. At offset 0x581811C9
in the DLL is an unchecked lstrcpy. By sending a large string of
characters, the dvwssr.dll can be overflowed. By carefully constructing
these characters, it is possible to remotely execute commands as "system"
which can be used for elevating priviledges. The buffer overflow was
uncovered by CoreSDI.

 5. In theory if you can get the hash of a user with the access, you can
exploit the buffer overflow. This is called "passing the hash", and
essentially means that you use the hash without cracking the password to
authenticate to the target server. See
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0
for details from RAZOR's Paul Ashton on the basis for this technique. This
technique is currently one of the stars of Foundstone's "Hacking Exposed:
Live" presentations being put on by George Kurtz and Eric Schultze at
security shows around the globe. Certainly in theory this could be adapted
to this exploit.

 6. Sniffing the NT LanMan password hash being sent by a legitimate FP98
user using L0phtcrack, and subsequently cracking the password would
certainly give you the proper access to run the dll, and therefore elevate
priviledges. This would of course mean that the sniffer would have to be
located between the legit user and the target server, but is not beyond
the realm of possibility.

Detection of the DLL:
=====================

Detection is quite simple. The following examples use NetCat:

Example 1:
 $ nc -v -w2 target.system 80
 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

 HTTP/1.0 500 Server Error (The system could not find the environment
 option that was entered. )

The 500 error means dvwssr.dll is not present.

Example 2:
 $ nc -v -w2 target.system 80
 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

 HTTP/1.0 401 Access Denied

The 401 error means dvwssr.dll is present but you do not have the rights to it.

Example 3:
 $ nc -v -w2 target.system 80
 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

 Connection closed by foreign host.

The connection closed means that you had the rights to run the DLL, but
since no parameters were passed the connection was completed.

Users of BindView's HackerShield can use the Rapid Fire Update released on
the evening of April 14 to detect the presense of the DLL on their systems
they manage.

Elimination of Vulnerability:
=============================

Microsoft's original recommendation of removal of the DLL still stands as
this eliminates the vulnerability completely. See
http://www.microsoft.com/technet/security/bulletin/ms00-025.asp for
details.

Credits
=======

The technical details in this analysis were provided by Todd Sabin and
Paul Ashton of BindView's RAZOR team (in addition to information made
public by Rain Forest Puppy and CoreSDI).

-         Simple Nomad          -  No rest for the Wicca'd  -
-      thegnome@nmrc.org        -        www.nmrc.org       -
-  thegnome@razor.bindview.com  -     razor.bindview.com    -