IIS malformed HTW request
advICE :Intrusions : 2002568

Summary

An attempt has been made to exploit the Microsoft Index Server in order to grab unauthorized files from the system.

Details

Microsoft Index Server 2.0 is a subsystem that comes with IIS 4.0. It provides a standard search engine for the server, indexing the content on the server and providing search capabilities for users.

One feature of search engines is to excerpt (or "highlight") the text around the search term in each found page. Hackers can use the common directory traversal technique in order to access any file on the system. The technique is to use the webhits.dll ISAPI script, the ".htw" file type, a long string, and the directory path leading to the desired file.

Defense

Install the patch provided by Microsoft.

It is likely that similar problems will be found in the future, in either this product or others. A defense against this class of attack is to rename directories. For example, rather than installing Windows NT in the default directory of "C:\WINNT", use the directory name "C:\WINNTX" instead. In order to exploit this bug, hackers must know the exact name of the file they want to retrieve. Changing directory names means they cannot easily find well-known files.

parametric information URL The suspicious URL. accessed Indicates whether the URL was successfully accessed. code The HTTP return code. arg The argument to the GET command (if any).

 
Version appeared: 2.0