If you have installed Microsoft Office 2000 or keep current on your Windows 
Updates, you may have noticed a new WebFolders namespace in Windows Explorer.  
WebFolders are a new concept designed to give Microsoft Office and FrontPage 
users the ability to publish and work with web content.  The concept is that a 
web site becomes a part of Windows Explorer so that you can work with web 
content as if it were located locally or on a network drive.

The fun part is that WebFolders have some significant weaknesses (inherited from 
FrontPage) and are such a new concept that it turns out they make a great entry 
point into a remote server.  In fact, when you connect to a web folder you are 
doing exactly the same thing that FrontPage does when it connects to a remote 
web site.  This vulnerability is nothing new and I doubt there will be any 
patches forthcoming because it mainly exploits ignorance and smugness more than 
server applications. Okay, so this is really about FrontPage and for some of you 
this may just be a review.  Nonetheless, I am surprised how few people seem to 
understand how FrontPage security works.  

USING WEBFOLDERS

As I mentioned previously, WebFolders work the same as FrontPage when connecting 
to web sites.  Essentially when you add a new WebFolder, Explorer will send a 
Post request to /_vti_bin/_vti_aut/author.dll (among others), which is installed 
as a part of the FrontPage Server extensions.  So when you are using WebFolders, 
you are really just using the FrontPage Server extensions.  If as an anonymous 
user you do not have read and execute access to that file, the server try to get 
an NTLM or Basic authentication from you.  If any of those credentials succeed, 
you will now have a new WebFolder mapped to the remote server's web root.  Even 
better, if you are able to get to this point, you should have at least authoring 
rights on the server, which means that you will be able to do just about 
anything you want on this web site. And when this is used in combination with 
other known exploits, one can easily achieve full admin access to a server.

Before getting into the technical details, lets look at what this all means and 
some of the issues involved here:

1.	Someone can remotely access at least a portion of your file system, 
    including read, write, and execute permissions;
2.	Since it all works on port 80, this exploit could easily work through many 
    firewalls configurations and intrusion detection systems;
3.	Since all file access is done through posts to author.dll, the specific 
    files accessed will not show up in any logs and therefore you won't really 
    know how much the attacker really did or what files he accessed (or 
    installed);
4.	The exploit can easily be performed through proxy servers to more easily 
    disguise the originating IP address;
5.	The login prompt is a good place to perform a brute-force attack (whether it 
    shows up in the Event Log or triggers account lockouts, I have not yet 
    tested).  Another related fact is that in order to connect to a WebFolder, 
    FrontPage requires that the author's account have the ability to log on 
    locally.  So if you do connect to a WebFolder you will be locally logged on 
    to that server (something to think about);
6.	The permissions you have as the web author will normally be greater than 
    those given to IUSR_MACHINE;
7.	Passwords are often stored in global.asa and other files which may be used 
    to attack other servers;
8.	Most people do not realize that they are vulnerable since a default 
    FrontPage installation does not implement any security restrictions and many 
    people do not understand how to setup FrontPage security.

HOW IT ALL WORKS

On Windows NT and IIS, FrontPage security is basically controlled by the access 
rights to the three files Admin.dll, Author.dll, and Shtml.dll.  These rights 
respectively determine administration, authoring, and browsing rights.  For 
example, if a remote user is able to read and execute Admin.dll, then that user 
is able to administer the web site.

The authentication dll's are structured as follows:

Web Root
    \_vti_bin
     shtml.dll
         \_vti_aut
          author.dll
         \_vti_adm
          admin.dll
 
When the post to author.dll succeeds, the client will then be able to browse the 
web site as if it were browsing the file system.  And since an author has full 
authoring capabilities, he can also do things such as place executable files in 
the _vti_bin directory or other executable directories.  Having user read, 
write, and execute access is just one step away from having full admin access.

Properly called the FrontPage Remote Procedure Call Protocol, the exact 
procedure for connecting is as follows:

First, Explorer sends the remote server an OPTIONS / HTTP/1.1 (I suppose to 
figure out if it can post).  At this point it is sending a User-Agent of 
"Microsoft Data Access Internet Publishing Provider Cache Manager", although in 
later requests it sends a User-Agent of "MSFrontPage/4.0."  So far I have seen 
few servers that dissallow the POST method so this usually succeeds (which makes 
me wonder why they even do it).

Then it sends GET /_vti_inf.html HTTP/1.1.  This is the basic configuration file 
for the FrontPage extensions.  This tells Explorer that the FrontPage server 
extensions are installed and it looks for the line 
FPAuthorScriptUrl="_vti_bin/_vti_aut/author.dll".  On IIS it will be author.dll 
and on all others it will be author.exe.  Of course, if the file isn't there, we 
get a 404 and we know this server doesn't have FrontPage support.

After it knows the location of the authoring binaries, it sends POST 
/_vti_bin/shtml.dll/_vti_rpc HTTP/1.1.  Shtml.dll is the browse binary and is 
available to everyone.  The post data is: 
method=server+version%3a4%2e0%2e2%2e2611, to which the server responds something 
like this:
<html><head><title>vermeer RPC packet</title></head>
<body>
<p>method=server version:3.0.2.1706
<p>server version=
<ul>
<li>major ver=3
<li>minor ver=0
<li>phase ver=2
<li>ver incr=1706
</ul>
<p>source control=0
</body>
</html>

Now Explorer knows the version (although it could have extracted this from the 
_vti_inf.html file) and can start its work.  It sends a POST to 
/_vti_bin/_vti_aut/author.dll, which is the authoring binary.  The post data is 
method=open+service%3a3%2e0%2e2%2e1706&service%5fname=%2f (notice how it now 
uses the server's version). This is where the authentication comes in.  If the 
ACL of author.dll permits this request, the server responds with a bunch of 
settings, which is basically the /_vti_pvt/services.cnf file.  There is nothing 
very interesting here, although some of the information could be used along with 
other exploits.  The good part comes in this next request:

POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
MIME-Version: 1.0
User-Agent: MSFrontPage/4.0
Accept: auth/sicily
Content-Length: 241
Content-Type: application/x-www-form-urlencoded
X-Vermeer-Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive

method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=false&li
stExplorerDocs=false&listRecurse=false&listFiles=true&listFolders=true&listLinkI
nfo=false&listIncludeParent=true&listDerivedT=false&listBorders=false&initialUrl
=

This is where we get the good stuff.  Of course as you can see, Explorer is 
being pretty nice (notice also the version number in the request).  What we 
really want to do is change some of those settings like listHiddenDocs=True and 
listExplorerDocs=True and listLinkInfo=True and listIncludeParent=true.  And of 
course, to browse other directories, you change the initialURL value (i.e., 
initialUrl=cgi%2dbin). 

To retreive a file, you send this as the POST data:
method=get+document%3a3%2e0%2e2%2e1105&service%5fname=&document%5fname=about%2fd
efault%2ehtm&old%5ftheme%5fhtml=false&force=true&get%5foption=none&doc%5fversion
=

In all I have found many commands you can send.  I haven't tested them nor do I 
know their exact parameters and I'm not sure if they can all be used remotely, 
but there is certainly much room for exploring.  And some commands are limited 
to admins while others are available to authors as well.  In fact, some commands 
are available to everyone.  Thats how FrontPage is able to list subwebs of a 
site without logging in.

FRONT PAGE SECURITY

Unfortunately, when you install the FrontPage server extensions, there are no 
security limitations implemented.  And it is very easy to get confused because 
the whole thing is based on the ACLs of a few files.  It would be very easy even 
for even an experienced admin to overlook FrontPage security.  Imagine this 
scenario:

A company is using FrontPage to author their public web site.  Their web server 
is considered very secure and the administrator has taken many steps to keep 
hackers out.  The network firewall restrictions are very tight, so that web and 
FTP access is all that anyone gets.  The administrator knows that the FrontPage 
server extensions aren't as strong as they should be so he has the web developer 
author the web site on his own Windows 98 computer then use FTP to upload to the 
server.  The web developer has installed the personal web server that comes with 
FrontPage so that he has his own local copy of the web that he uses for 
development.  His computer is on the internal network and is not exposed to the 
internet.  In fact, it is nowhere near the internet since it is in his office 
which is across the building from the server.

Then along comes a hacker that is trying to break in to their web site.  He sees 
that main web server is very secure so he does a zone transfer for that company 
and finds they own a whole class c network.  He scans the internal network but 
his pings fail and it appears that a firewall is in place.  He then scans their 
network for port 80 and sees that it isn't being filtered.  In fact, he has 
located several ports open, one on a seemingly insignificant box.  He types that 
address into his browser and finds that it seems to be a mirror of their main 
site.  But then he tries to create a WebFolder with that address and it 
immediately connects without even prompting for a password.  He starts his work, 
grabbing global.asa to get their SQL Server password, installing a few trojan 
ASP pages, one which allows querying the SQL Server database and then the usual 
cmd.exe, nc.exe, getadmin.exe, and/or perl.exe executables.  About an hour later 
he has everything he wants (whatever that may be) as well as a few extras, such 
as this company's login to the Microsoft's Solution Partner area and some porn 
he found in the developer's internet cache.  When he's done, he deletes his 
files and doesn't even bother with logs since it's not even logging (why should 
it, its just a development system?).  He does leave in one inconspicious trojan 
ASP page hoping that it will eventually make its way to the main web server then 
he closes the WebFolder and he's done.

Sure, some of you may say that this vulnerability is dependent upon some 
misconfigurations and oversights but unfortunately (or fortunately, depending on 
who you are) these misconfigurations and oversights are way too common.  If 
FrontPage doesn't prompt you for a password when you open your site, it won't be 
prompting anyone else either.  And what if someone just installed FrontPage to 
check it out but never used it?  This site will still be vulnerable even though 
they may have never created a FrontPage web.  Or what if the web author gets 
sick of entering a password each time he connects so just sets his password 
blank?  The sad fact is that as long as there are passwords, there will always 
be bad passwords.  How secure is that copy of FrontPage you run on your own 
system?  Have you checked?

To test a site, you can either open it in FrontPage, add it as a WebFolder, or 
here's another way:

Create a file named listdocuments that contains the following (you will want to 
change the host):

POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
MIME-Version: 1.0
Accept: auth/sicily
Content-Length: 219
Host: www.yourhosthere.com
Content-Type: application/x-www-form-urlencoded
X-Vermeer-Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive

method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&lis
tExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInf
o=false&listIncludeParent=true&listDerived=false&listBorders=false

Then using NetCat, do something like this:

nc -v www.targethost.com 80 < listdocuments

Another interesting point is that since FrontPage security is based on ACLs 
those three FrontPage dll files, a file system such as FAT that doesn't have 
ACLs will be completely open to WebFolder connections no matter what you do.

Another thing I would like to point out is that since WebFolders and FrontPage 
connect to sites the same way, you could also use the FrontPage Explorer to 
connect to a site.  The benefit of using the FrontPage Explorer is that you can 
also change permissions on files and view hidden directories and files.  Another 
interesting point is that ADO 2.5 provides OLE DB access to web folders so it 
would be very easy to write a script or application that will scan networks for 
vulnerable servers.  And of course you could also use any Office 2000 
application and VBA to connect to remote servers.  Finally, interactive and 
network accounts can list the directories (rx) of the web root.  This is so that 
the FrontPage Explorer can list the sub webs.  If you use FrontPage Explorer to 
connect to a web site, you will be given a list of sub webs to connect to as 
well.  This can be done by anyone without any authentication

Given some thought, one could take these concepts a lot farther.  Here are some 
other concepts to ponder:

1.	Administrators are always given full admin access to FrontPage webs so 
    that may be a good user to use in a brute-force attack;
2.	FrontPage has executable access to many system dll's including 
    msvcrt40.dll, netapi32.dll, rpcltcl.dll, samlib.dll, and wsock32.dll;
3.	If IIS is set to run dll's in-process, then one could replace the 
    FrontPage dll's with a trojan.  These dll's do not even have to be in the 
    same location, just named the same;
4.	A user's local login and password may be sent to the server using basic 
    authentication without the user knowing it

The FrontPage is a wonderful world full of unexplored exploits and 
vulnerabilities.  Its a shame more time hasn't been spent exploring this more.  
It also goes to show that the more we try to close doors, the more software 
vendors open up new ones.  Forget BO2k and NetBus, Microsoft did a much better 
job.

.sozni