Direct URL Disk Access: Not just for PHP!



  • Was downloading drivers for my TV card from NEC Computers website, and noticed the URL looked rather odd.  Specifically, "http://202.188.160.140/user/user_nec_download.asp?driver_location=D:\Drivers\TV Tuner\Asus7134V2.3.0.4.exe" odd.  I thought to myself, "how about if I replaced that file location apparently on D: of the server, and took a shot at some system files?"  The results... may surprise you.

    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\boot.ini 

    More worrying though, is that the results probably wont surprise you.





  • They should probably just have let the webserver do that part...
    I mean, it is designed to fetch files and send them, no need to reinvent the square wheel.

    Also, they need to upgrade, that's windows 2000 server.



  • Sadly enough I could not download autoexec.bat. IIS does not seem to work with an admin account :-(



  • there prob is no autoexec.bat



  • How about going after C:\pagefile.sys ? ...



  • @fluffy777 said:

    How about going after C:\pagefile.sys ? ...

    I got an HTML page with "Persits.Upload.1 (0x800A001A) The process cannot access the file because it is being used by another process."

    I always thought that windows's inability to share files between processes was just a bug that unix had figured out decades ago but microsoft couldn't fix. Maybe it's intentional, to make web applications more secure.



  • @ailivac said:

    I always thought that windows's inability to share files between processes was just a bug that unix had figured out decades ago but microsoft couldn't fix. Maybe it's intentional, to make web applications more secure.

    So instead of "Security through obscurity" they went with "Security through accidents"?

     



  • JFC! I did not believe this kind of stupid security hole possible....



  • @death said:

    JFC! I did not believe this kind of stupid security hole possible....

     

    I beleived it possible i just didn't think anyone would be stupid enough to actually do it.  



  • You can even download NTLDR :)



  • I think there could be some gems in http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\documents and settings\administrator\ntuser.dat  :)  (replace with %20, etc as appropriate - I was lazy and let IE do the sub for me - no flaming for that please!! :D ).

    And NEC work as huge systems integrators in some of our (Australian) government projects... Amazing!



  • @MrYates said:

    I think there could be some gems in http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\documents and settings\administrator\ntuser.dat  :)  (replace with %20, etc as appropriate - I was lazy and let IE do the sub for me - no flaming for that please!! :D ).

    And NEC work as huge systems integrators in some of our (Australian) government projects... Amazing!

    Isn't it possible to download the required files for a tool like John the Ripper and get the admin password? (btw, FF will also do that ;)



  • @element[0] said:

    @death said:

    JFC! I did not believe this kind of stupid security hole possible....

     

    I beleived it possible i just didn't think anyone would be stupid enough to actually do it.  

    Ill add to make the intent clear:

    ... in a public production system. SOMEBODY other than creator must have seen it and approved it...



  • @ailivac said:

    @fluffy777 said:

    How about going after C:\pagefile.sys ? ...

    I got an HTML page with "Persits.Upload.1 (0x800A001A) The process cannot access the file because it is being used by another process."

    I always thought that windows's inability to share files between processes was just a bug that unix had figured out decades ago but microsoft couldn't fix. Maybe it's intentional, to make web applications more secure.

    Actually that unix doesn't by default support mandatory locks is the bug. Reading a file that's being updated can give bad data, and can lead to other problems, like not knowing what the most recent data is, which can lead to updates overwriting newer data with older data.

    Microsoft has been ahead of *nix in this regard ever since MS-DOS 3.3



  • @why? said:

    @ailivac said:

    @fluffy777 said:

    How about going after C:\pagefile.sys ? ...

    I got an HTML page with "Persits.Upload.1 (0x800A001A) The process cannot access the file because it is being used by another process."

    I always thought that windows's inability to share files between processes was just a bug that unix had figured out decades ago but microsoft couldn't fix. Maybe it's intentional, to make web applications more secure.

    Actually that unix doesn't by default support mandatory locks is the bug. Reading a file that's being updated can give bad data, and can lead to other problems, like not knowing what the most recent data is, which can lead to updates overwriting newer data with older data.

    Microsoft has been ahead of *nix in this regard ever since MS-DOS 3.3

    Unix supported both advisory and mandatory locking for years before Microsoft ever existed. You appear to be confused. Windows uses implicit locking, which is braindamaged and wrong: if you open a file for writing, the file is automatically locked. This generates a huge number of completely unnecessary locks, slowing the whole system down and creating deadlocks where none should exist. In the event of one application failing, it tends to spill over and break all other related applications.

    The unix policy is quite simple: no locking unless the application asks for it. Unix applications have been supporting true concurrency since before Windows ever existed - not just some penny-ante desktop toys, but concurrent access on the server between thousands of users in real time. There are no significant defects with it, although the basic APIs are a little quirky (users who don't understand them should use a wrapper library rather than the native syscalls).

    And this is before we even begin to talk about network filesystems, where you really, really want to use advisory locking. Mandatory locking has significant performance and stability issues there, so should normally be avoided.





  • Brillant.

     

    Surely someone with a clue should have at least given this a once over before it went live.



  • bonus points for figuring out the path to the asp pages so we can look at the wtfs found in the source itself. that should be fun.

     



  • Under UK law at least, this may constitute hacking.

    1(1) A person is guilty of an offence if:

    a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;
    b) the access he intends to secure is unauthorized; and
    c) he knows at the time when he causes the computer to perform the function that this is the case.
     
    It would be for a court to decided whether data being acessible online, but with the location not published, constitutes authorisation. But I would expect not.


  • @asuffield said:

    Unix supported both advisory and mandatory locking for years before Microsoft ever existed. You appear to be confused. Windows uses implicit locking, which is braindamaged and wrong: if you open a file for writing, the file is automatically locked. This generates a huge number of completely unnecessary locks, slowing the whole system down and creating deadlocks where none should exist. In the event of one application failing, it tends to spill over and break all other related applications.

     

    And now Windows is, well, locked into this scheme because of all the software that's been written to expect things to work this way.  (I may be mistaken on this point, though, feel free to correct me)

     



  • @m0ffx said:

    Under UK law at least, this may constitute hacking.

    1(1) A person is guilty of an offence if:

    a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;
    b) the access he intends to secure is unauthorized; and
    c) he knows at the time when he causes the computer to perform the function that this is the case.
     
    It would be for a court to decided whether data being acessible online, but with the location not published, constitutes authorisation. But I would expect not.

    There is only one branch of the UK police with the authority to investigate these things with a view to prosecution, and they're now part of the serious organised crime group. Local police forces are instructed to forward all such cases to that group for official ignoring. Hence, the only way to get prosecuted for computer misuse is to (a) work for the mob, or (b) offend somebody with enough political clout to get the Home Office involved.

    Aside from that, this law has been tossed onto the large pile of UK laws that are never enforced. Nobody even cares about computer crime any more, there hasn't been a movie about it in like forever.





  • @asuffield said:

    Nobody even cares about computer crime any more, there hasn't been a movie about it in like forever.

    But and Swordfish! 



  • @petvirus said:

    bonus points for figuring out the path to the asp pages so we can look at the wtfs found in the source itself. that should be fun.

     

    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\user_nec_download.asp 

    Edit: 

     Looks like this is a personal computer. Has bittorrent, splintercell, skype and other games/user apps on it.

     



  • @m0ffx said:

    a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;

    b) the access he intends to secure is unauthorized; and

    c) he knows at the time when he causes the computer to perform the function that this is the case.



    It would be for a court to decided whether data being acessible online, but with the location not published, constitutes authorisation. But I would expect not.

    A) FTP servers are not allowed in the UK?

    B) Obviously this is authorized, who would even fathom that this is actually in anyway secure? He is a kind contributor to the OSS movement.

    C) See B.



  • @Lingerance said:

    @m0ffx said:
    a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;

    b) the access he intends to secure is unauthorized; and

    c) he knows at the time when he causes the computer to perform the function that this is the case.



    It would be for a court to decided whether data being acessible online, but with the location not published, constitutes authorisation. But I would expect not.

    A) FTP servers are not allowed in the UK?

    B) Obviously this is authorized, who would even fathom that this is actually in anyway secure? He is a kind contributor to the OSS movement.

    C) See B.

    Unfortunately it's not OBVIOUSLY authorized. It's a little like going around a building where the route is signposted, and then turning off into a room with a closed, but not locked, door. Just because there is nothing technological preventing you from gaining access does not mean you're allowed to do so. If a URL is published (in any medium) by its owner, or it's the domain name alone, then there (presumably) is an implicit authorization. In this case there is not a published URL, and the site is intended for downloading drivers. Anything else is probably not implicitly authorized. Lack of security is not a defence. Honestly believing you are allowed to access these files is a defence, but I would say any reasonable person knows they shouldn't be doing so.



  • but dropping tables is ok right?



  • Oh this is great:

    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\WINDOWS\SYSTEM32\CONFIG\SAM

    I didn't expect it to work. Anyone know how to drive Jack the Ripper?

     



  • @m0ffx said:

    @Lingerance said:

    @m0ffx said:
    a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;

    b) the access he intends to secure is unauthorized; and

    c) he knows at the time when he causes the computer to perform the function that this is the case.



    It would be for a court to decided whether data being acessible online, but with the location not published, constitutes authorisation. But I would expect not.

    A) FTP servers are not allowed in the UK?

    B) Obviously this is authorized, who would even fathom that this is actually in anyway secure? He is a kind contributor to the OSS movement.

    C) See B.

    Unfortunately it's not OBVIOUSLY authorized. It's a little like going around a building where the route is signposted, and then turning off into a room with a closed, but not locked, door. Just because there is nothing technological preventing you from gaining access does not mean you're allowed to do so. If a URL is published (in any medium) by its owner, or it's the domain name alone, then there (presumably) is an implicit authorization. In this case there is not a published URL, and the site is intended for downloading drivers. Anything else is probably not implicitly authorized. Lack of security is not a defence. Honestly believing you are allowed to access these files is a defence, but I would say any reasonable person knows they shouldn't be doing so.

    This law was heavily criticised at the time for precisely this argument. You can twist it to mean pretty much whatever you want, and it entirely declines to explain what to do with the borderline cases. Basically, the legislators at the time said "hey, we need to do something about computer crime... hmm, actually this is really hard, punt". I vaguely recall some commentators asking what exactly we were paying them for, if the best they could come up with was an Act that just said the legal equivalent of "don't do bad stuff".

    Thanks to lackluster enforcement there's very little case law, much of it confusing, so we still don't have any real idea what the stupid thing means. 



  • @kirchhoff said:

    Oh this is great:

    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\WINDOWS\SYSTEM32\CONFIG\SAM

    I didn't expect it to work. Anyone know how to drive Jack the Ripper?

     

     

    Read the file. You downloaded an error message.

    The windows directory is C:\WINNT\ anyways. 





  • This isn't really true, the current owner of the handle to a file can specify the sharing behaviour for subsequent accesses to the file.

     Perhaps you are the brain damaged one. You don't really know what you are talking about.



  • @qaztree said:

    This isn't really true, the current owner of the handle to a file can specify the sharing behaviour for subsequent accesses to the file.

     Perhaps you are the brain damaged one. You don't really know what you are talking about.

    I'm presuming you're responding to m0ffx's post?


  • @plazmo said:

    @petvirus said:

    bonus points for figuring out the path to the asp pages so we can look at the wtfs found in the source itself. that should be fun.

     

    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\user_nec_download.asp 

    Edit: 

     Looks like this is a personal computer. Has bittorrent, splintercell, skype and other games/user apps on it.

     

    No it doesn't.  Try using another browser. Firefox will happily open the "save file" dialog even if you give the wrong path, Internet Explorer will popup a box saying the server terminated the connection.  There's a Firefox WTF right there.



  • @Kyanar said:

    @plazmo said:
    @petvirus said:

    bonus points for figuring out the path to the asp pages so we can look at the wtfs found in the source itself. that should be fun.

     

    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\user_nec_download.asp 

    Edit: 

     Looks like this is a personal computer. Has bittorrent, splintercell, skype and other games/user apps on it.

     

    No it doesn't.  Try using another browser. Firefox will happily open the "save file" dialog even if you give the wrong path, Internet Explorer will popup a box saying the server terminated the connection.  There's a Firefox WTF right there.


    I'm using:
    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\skjhbsdfk.asp

    Opera 9 also downloads the non-existent file without issue. The returned data is a default IIS 500 error page.

    IE7 opens a fila dialog at first, then overlays the error box that you describe.

    I'm not hip enough to HTTP requests to attach binding conclusions to these observations. 



  • @dhromed said:

    @Kyanar said:
    @plazmo said:
    @petvirus said:

    bonus points for figuring out the path to the asp pages so we can look at the wtfs found in the source itself. that should be fun.

    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\user_nec_download.asp 

    Edit: 

     Looks like this is a personal computer. Has bittorrent, splintercell, skype and other games/user apps on it.

    No it doesn't.  Try using another browser. Firefox will happily open the "save file" dialog even if you give the wrong path, Internet Explorer will popup a box saying the server terminated the connection.  There's a Firefox WTF right there.


    I'm using:
    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\skjhbsdfk.asp

    Opera 9 also downloads the non-existent file without issue. The returned data is a default IIS 500 error page.

    IE7 opens a fila dialog at first, then overlays the error box that you describe.

    I'm not hip enough to HTTP requests to attach binding conclusions to these observations.

    All three browsers want to save the file to disk because the HTTP Response has a Content-Type of application/octet-binary.  It's pretty stupid for a 500 error to send back a Content-Type other than text/html (or one of the xhtml variants) or text/plain. 

    Firefox and Opera are more than happy to save the error page: data is data, as far as they're concerned.  IE recognizes that the server returned an error code, and subsequently won't let you save it.  It looks like everybody is kinda wrong in the context of HTTP, whose specs say the following for a 5XX error message:

    User agents SHOULD display any included entity to the
    user.
    (emphasis in orginal).  IE simply bails out without giving the actual reason.  It says it cannot reach the download site, which is patently untrue.  Without receiving the Content-Type, IE wouldn't be attempting to save the file in the first place.  Note that this completely restricts you from seeing the server response.  Firefox and Opera give no indication to the user of an error until he/she goes to open the downloaded file.

    In a perfect world, I'd expect the browser to notify that an error has occurred and let the user decide whether to continue downloading or not.



  • it starts to get a little nasty when you can access the data connection strings

    ***censored***



  • @Hitsuji said:

    it starts to get a little nasty when you can access the data connection strings

    censored 

    I think this link crosses form the grey area into the red zone. 



  • @dhromed said:

    @Hitsuji said:

    it starts to get a little nasty when you can access the data connection strings

    censored 

    I think this link crosses form the grey area into the red zone. 

     

    I dont think this is the appropriate forum to be posting exploits to sites. We are supposed to be going WTF at bad coding, not opening holes that can lead to the destruction of a site.

    And usually i find linking directly to exploits on public forums a bad idea, as it puts this forum thread in their server logs and perdy much opens the exploit up to any script kiddie that knows how to google.



  • @plazmo said:

    @dhromed said:
    @Hitsuji said:

    it starts to get a little nasty when you can access the data connection strings

    censored 

    I think this link crosses form the grey area into the red zone. 

     

    I dont think this is the appropriate forum to be posting exploits to sites. We are supposed to be going WTF at bad coding, not opening holes that can lead to the destruction of a site.

    And usually i find linking directly to exploits on public forums a bad idea, as it puts this forum thread in their server logs and perdy much opens the exploit up to any script kiddie that knows how to google.

     

    Has anyone bothered notifying NEC of this yet? It seems to me that by 11:21AM they should have taken their production site down for maintenance...



  • @plazmo said:

    I dont think this is the appropriate forum to be posting exploits to sites. We are supposed to be going WTF at bad coding, not opening holes that can lead to the destruction of a site.

    And usually i find linking directly to exploits on public forums a bad idea, as it puts this forum thread in their server logs and perdy much opens the exploit up to any script kiddie that knows how to google.

    Definitely. Please do not post script-kiddy-step-by-step guides here. I've censored the above link, for obviously being too dangerous.



  • @PerdidoPunk said:

    Has anyone bothered notifying NEC of this yet?

    Can one deliver this message in such way that it will not elicit a response of the form "YOU HACKED US WTF SUE"?



  • @bstorer said:

    @dhromed said:
    @Kyanar said:
    @plazmo said:
    @petvirus said:

    bonus points for figuring out the path to the asp pages so we can look at the wtfs found in the source itself. that should be fun.

    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\user_nec_download.asp 

    Edit: 

     Looks like this is a personal computer. Has bittorrent, splintercell, skype and other games/user apps on it.

    No it doesn't.  Try using another browser. Firefox will happily open the "save file" dialog even if you give the wrong path, Internet Explorer will popup a box saying the server terminated the connection.  There's a Firefox WTF right there.


    I'm using:
    http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\skjhbsdfk.asp

    Opera 9 also downloads the non-existent file without issue. The returned data is a default IIS 500 error page.

    IE7 opens a fila dialog at first, then overlays the error box that you describe.

    I'm not hip enough to HTTP requests to attach binding conclusions to these observations.

    All three browsers want to save the file to disk because the HTTP Response has a Content-Type of application/octet-binary.  It's pretty stupid for a 500 error to send back a Content-Type other than text/html (or one of the xhtml variants) or text/plain. 

    Firefox and Opera are more than happy to save the error page: data is data, as far as they're concerned.  IE recognizes that the server returned an error code, and subsequently won't let you save it.  It looks like everybody is kinda wrong in the context of HTTP, whose specs say the following for a 5XX error message:

    User agents SHOULD display any included entity to the
    user.
    (emphasis in orginal).  IE simply bails out without giving the actual reason.  It says it cannot reach the download site, which is patently untrue.  Without receiving the Content-Type, IE wouldn't be attempting to save the file in the first place.  Note that this completely restricts you from seeing the server response.  Firefox and Opera give no indication to the user of an error until he/she goes to open the downloaded file.

    In a perfect world, I'd expect the browser to notify that an error has occurred and let the user decide whether to continue downloading or not.

    I guess its because the original purpose of the site was to deliver binary files, so they probably just set the content-type to binary, so that even text file don't show up as text but still triggers the browser to download it. If you look at it this way IE is the only one that does what they want :D 



  • @dhromed said:

    @PerdidoPunk said:

    Has anyone bothered notifying NEC of this yet?

    Can one deliver this message in such way that it will not elicit a response of the form "YOU HACKED US WTF SUE"?

    I think the security of their website is more important than worrying about that. If there is an issue, I'm sure it can be straightened out, as it is quite apparent that the point of this website is not to find and exploit security holes, but rather to emphasize good IT practice. I for one am a responsible IT professional and think that this is something NEC should be made aware of immediately... The more people to bother them about it, the better, as that will likely cause them to repair this hole more quickly.



  • @PerdidoPunk said:

    @dhromed said:

    @PerdidoPunk said:

    Has anyone bothered notifying NEC of this yet?

    Can one deliver this message in such way that it will not elicit a response of the form "YOU HACKED US WTF SUE"?

    I think the security of their website is more important than worrying about that. If there is an issue, I'm sure it can be straightened out, as it is quite apparent that the point of this website is not to find and exploit security holes, but rather to emphasize good IT practice. I for one am a responsible IT professional and think that this is something NEC should be made aware of immediately... The more people to bother them about it, the better, as that will likely cause them to repair this hole more quickly.

     If anyone knows how to contact Alex or another admin, they might want to be made aware of the other links in this post so they can be censored, too...



  • @PerdidoPunk said:

    @PerdidoPunk said:
    @dhromed said:

    @PerdidoPunk said:

    Has anyone bothered notifying NEC of this yet?

    Can one deliver this message in such way that it will not elicit a response of the form "YOU HACKED US WTF SUE"?

    I think the security of their website is more important than worrying about that. If there is an issue, I'm sure it can be straightened out, as it is quite apparent that the point of this website is not to find and exploit security holes, but rather to emphasize good IT practice. I for one am a responsible IT professional and think that this is something NEC should be made aware of immediately... The more people to bother them about it, the better, as that will likely cause them to repair this hole more quickly.

     If anyone knows how to contact Alex or another admin, they might want to be made aware of the other links in this post so they can be censored, too...

    Just use the "report abuse" link at the bottom of each post. Anyway, censoring every post in this thread is far too much work. I would have to delete the whole thread. 



  • @PerdidoPunk said:

    @dhromed said:

    @PerdidoPunk said:

    Has anyone bothered notifying NEC of this yet?

    Can one deliver this message in such way that it will not elicit a response of the form "YOU HACKED US WTF SUE"?

    I think the security of their website is more important than worrying about that.

    I don't. If you've been following the whole "full disclosure" debate, you'll see that the biggest WTF is the response of large companies to reports of security holes. They generally fall into two categories:

    1) Sit on the report until someone exploits it, then tell the police that the reporter is a prime suspect.

    2) Sue the person making the report or charge them with assorted computer crimes.

    The only safe, effective way to report a security hole is to do so as publicly as possible, while covering your tracks as well as you can.



  • @XIU said:

    @bstorer said:

    All three browsers want to save the file to disk because the HTTP Response has a Content-Type of application/octet-binary.  It's pretty stupid for a 500 error to send back a Content-Type other than text/html (or one of the xhtml variants) or text/plain. 

    Firefox and Opera are more than happy to save the error page: data is data, as far as they're concerned.  IE recognizes that the server returned an error code, and subsequently won't let you save it.  It looks like everybody is kinda wrong in the context of HTTP, whose specs say the following for a 5XX error message:

    User agents SHOULD display any included entity to the
    user.
    (emphasis in orginal).  IE simply bails out without giving the actual reason.  It says it cannot reach the download site, which is patently untrue.  Without receiving the Content-Type, IE wouldn't be attempting to save the file in the first place.  Note that this completely restricts you from seeing the server response.  Firefox and Opera give no indication to the user of an error until he/she goes to open the downloaded file.

    In a perfect world, I'd expect the browser to notify that an error has occurred and let the user decide whether to continue downloading or not.

    I guess its because the original purpose of the site was to deliver binary files, so they probably just set the content-type to binary, so that even text file don't show up as text but still triggers the browser to download it. If you look at it this way IE is the only one that does what they want :D

    That's an interesting theory, because it suggests that some thought went into that aspect of the design, while none when into the security aspect.



  • @PerdidoPunk said:

    @dhromed said:

    @PerdidoPunk said:

    Has anyone bothered notifying NEC of this yet?

    Can one deliver this message in such way that it will not elicit a response of the form "YOU HACKED US WTF SUE"?

    I think the security of their website is more important than worrying about that. If there is an issue, I'm sure it can be straightened out, as it is quite apparent that the point of this website is not to find and exploit security holes, but rather to emphasize good IT practice. I for one am a responsible IT professional and think that this is something NEC should be made aware of immediately... The more people to bother them about it, the better, as that will likely cause them to repair this hole more quickly.

    Lesson of the day: no good deed goes unpunished.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.