=====[BEGIN-ACROS-REPORT]===== ========================================================================= ACROS Security Problem Report #1999-10-26-1-PUB ------------------------------------------------------------------------- A "dot-dot" problem in WebID Agent for Microsoft IIS ========================================================================= FULL REPORT PUBLIC ====== Affected System(s): WebID Agent for Microsoft IIS Problem: Incorrect processing of URLs containing "dot-dot" Severity: High (complete bypassing of authentication process) Solution: Installing the official patch Discovered: October 26, 1999 Vendor Notified: October 26, 1999 Last update: - Published: November 11, 1999 SUMMARY ======= On a current project, our penetration team has found a serious security vulnerability in WebID technology from Security Dynamics (now RSA Security), applied on Microsoft Internet Information Server. INTRODUCTION ============ The WebID technology enables administrators to protect some or all virtual directories on a web server with strong SecurID authentication. When user first accesses protected area, instead of the web page he wanted to see, a SecurID authentication form is displayed. If user then enters and sends correct authentication data, his browser gets a WebID cookie that authenticates him on all subsequent accesses to the protected area (until some timeout). PROBLEM AND EXAMPLE =================== But there is a way to bypass that protection on Internet Information Server. Let's say that virtual folder 'protected' is protected with WebID. Therefore, user's first visit to http://www.server.com/protected/sensitive-document.htm will instead of the requested sensitive document result in SecurID authentication form (which is correct). But in case user tries http://www.server.com/../protected/sensitive-document.htm he will successfully bypass WebID protection and will get to the protected sensitive document without authentication. Needless to say, this vulnerability completely breaks WebID protection on IIS. SOLUTION ======== RSA Security has produced a patch for this vulnerability, available to their customers through their partner extranet. The patch, as far as we have tested it, removes the vulnerability. WORKAROUND ========== The only administrative workaround we know of is putting the whole website (root) under WebID protection. This way, the vulnerability can't be exploited. ADVISORY ======== Administrators running RSA Security's WebID protection on Microsoft IIS servers are advised to install the official ACE/Agent patch to remove the vulnerability. TESTING RESULTS =============== This has been tested on IIS 4.0 with SecurID Ace Agent 4.2. ACKNOWLEDGMENTS =============== We would like to acknowledge RSA Security (specifically Amy Speare and Bob Gillam) for prompt and professional response to our notification of the identified vulnerability and their help in understanding the flaw. SUPPORT ======= For further details about this issue please contact: Mr. Mitja Kolsek ACROS, d.o.o. Stantetova 4 SI - 2000 Maribor, Slovenia phone: +386 41 720 908 e-mail: mitja.kolsek@acros.si PGP Key available at PGP.COM's key server. PGP Fingerprint: A655 F61C 5103 F561 6D30 AAB2 2DD1 562A DISTRIBUTION ============ This report was sent to: - ACROS client mailing list DISCLAIMER ========== The information in this report is purely informational and meant only for the purpose of education and protection. ACROS, d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and exploits are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. COPYRIGHT ========= (c) 1999 ACROS, d.o.o., Slovenia. Forwarding and publishing of this document is permitted providing all information between marks "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" remains unchanged. =====[END-ACROS-REPORT]=====