From: "Microsoft Security Response Center" <secure@microsoft.com>
To: "Sylvester Ziolkowski" <sylvek@cox.net>
Cc: "Microsoft Security Response Center" <secure@microsoft.com>
Subject: RE: Security Vulnerability Report
Date: Friday, December 30, 2005 2:52 PM

Hi Sylvester,

Thanks for getting back to me.

Yes, our web form disallows certain text by design, to prevent people
from trying to hack it!  =)  You can always report things directly to us
at secure@microsoft.com if the form frustrates you.

In your situation below, I was able to reproduce it with your server,
but could not duplicate the behavior with test servers here. It seems to
me there might be a misconfiguration on your server and I recommend you
have the server administrator verify the ACLs. If he or she needs
further assistance, Microsoft Product Support Services is the better
place to go. Information on how to contact PSS is available at
http://support.microsoft.com/.

I hope this helps.

Thanks,
Christopher, CISSP, Security+

-----Original Message-----
From: Sylvester Ziolkowski [mailto:sylvek@cox.net] 
Sent: Friday 30 December 2005 14:28
To: Microsoft Security Response Center
Subject: Re: Security Vulnerability Report

Hi Christopher!

> ----- Original Message -----
> Sent: Friday, December 30, 2005 12:58 PM
> Subject: RE: Security Vulnerability Report Would you please send me 
> more details on the exact security vulnerability, steps to reproduce 
> the problem, and how an attacker could exploit it?

I'm sorry for the jumbled report. Your web form at
https://www.microsoft.com/technet/security/bulletin/alertus.aspx
breaks if you try to enter in any field the following text "<Root
Web>/_private" . I got a bit frustrated trying to find what breaks it.

The steps to reproduce are at http://sylvek.com/support/ .
Those are for Linux and use netcat. You can do the same by hand with
telnet to port 80.

On Windows XP do the following

My Network Places
Add Network Place
Chose Another Network Location

then enter http://sylvek.com or http://melzacki.com or
http://amei-bsc.com and you will see all the files in the particular
account.
Note that this way you will somehow use port 445. But the result is the
same: anonymous read access. That includes "_private" directory which
normally is not accessible via plain HTTP GET.

The 3 domains are just examples that I've found really quick on my
Microsoft shared web hosting provider (1&1 Internet).
I don't want to do a wide scan for all the vulnerable Win2003 servers.

Those machines are not under my administrative control, thus I don't
know what to do on the server side.

How to exploit? I don't know and I don't want to think about it.
But Windows Server 2003 Web Edition shouldn't allow anonymous access via
WebDAV(80) or microsoft-ds(445).

Maybe you should update your Lockdown Tool?

Warm regards,

Sylvek

 