Oh Jesus Christ
You learn a lot when you’re a hacker. Usually you learn how to go to jail, but I like doing everything under contract. Then you realize you don’t have to do anything illegal, just keep your eyes open and the stupidest shit will kick you right in the face.
I work with intrusion detection systems. This means if you browse a Web site or send an e-mail that the IDS picks up by mistake, I see it. I see a lot of junk like this, usually nothing of any interst; and then someone pulls up a page with an image on it:
Lovely don’t you think? But look closely at the source URL…
Yes, it says that. Now of course I know, all too well, that I shouldn’t touch this. I haven’t touched this. I won’t touch this. But damnit people, I bet I could use the C$ share to grab the SAM file or something stupid. \\10.147.119.35\C$\boot.ini would make a good test. It might not work, or it might. Probably not over SMB, because of authentication requirements, so this proves rather useless right?
If it takes a UNC path it’ll damn well take a regular path like C:\boot.ini or C:\Windows\system32\config\SAM right? All you need is proper access by the Web server. Too bad this is ASPX and not ColdFusion MX; .NET runs as Network Service, but CFMX demands to run as System and opens up tons of ways to bypass authorization (and authentication if you do something stupid like this site did). With this kind of retarded application architecture, I could grab any file off the local system due to quick and dirty authentication bypasses if they used ColdFusion.
One lovely trick I used to use on CFMX sites was to find exactly one login and password to one area of the site when the site used Windows authentication and NTFS permission to protect files and directories; once IIS authenticated you, it passed control to ColdFusion, which did the actual access without caring but with System level privileges. Snagged myself a file called financial.xls that way once, and a .mdb access database someone was using to store customer credit card numbers (what the hell?); this was while that particular person was having me troubleshoot their site, and I raised concern on these issues as appropriate.
By the way, ColdFusion sites use pages with the .cfm extension, as with (for example) the NSA. I name the NSA because I have no problem with their Web application and have no reason to believe it has any security issues (it doesn’t even accept user input, come on); I would like to name a few others, but I’ve accidentally caused their sites to spew customer information to my screen (reported this immediately) on pure bad Web application design (rather than ColdFusion-is-shit). You have no idea how bad it gets when you see a site crash and unlike normal people you don’t hit reload but instead read through the 15 pages of debugging messages that got dumped to your screen.
Update: A new image.
So uh. Yeah, above statement about grabbing C:\boot.ini or any other such file holds. What’s juicy on a Windows system?