• NTFS Alternate Data Stream vulnerability leaks webctrl.ini content

    From Rob Swindell@1:103/705 to GitLab issue in main/sbbs on Fri Jun 4 14:57:26 2021
    open https://gitlab.synchro.net/main/sbbs/-/issues/269

    With Windows NTFS, appending "::$DATA" to a filename is an alternate name for accessing a file's contents (data).This can be used in the Synchronet web server to defeat filename security checks, e.g.http://vert.synchro.net/members/webctrl.ini - fails with the expected error "403 Forbidden" whilehttp://vert.synchro.net/members/webctrl.ini::$DATA - returns the contents of the sysop's members/webctrl.ini fileThere are likely other instances of this type of vulnerability in the web server, so I wanted to have a discussion around a more wholistic solution than simply addressing this one-off example (which would require only a trivial change to websrvr.c).
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to GitLab note in main/sbbs on Fri Jun 4 21:08:28 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/269#note_2011

    Surprised it doesn't give a 404 error since the "file" doesn't exist. It's pretty insane if state() and/or access() or whatever the web server uses allows it. A quick web search doesn't show any generic solutions.
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Fri Jun 4 21:30:34 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/269#note_2012

    Yup, stat() and access() allow it. It is insane.
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Fri Jun 4 21:53:22 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/269#note_2013

    For more info: https://nvd.nist.gov/vuln/detail/CVE-1999-0278
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab issue in main/sbbs on Sat Jun 5 00:41:52 2021
    close https://gitlab.synchro.net/main/sbbs/-/issues/269
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From poindexter FORTRAN@1:103/705 to Rob Swindell on Sun Jun 6 10:03:00 2021
    Subject: Re: NTFS Alternate Data Stream vulnerability leaks webctrl.ini content @MSGID: <60BF7F75.25129.dove.sync_sys@realitycheckbbs.org>
    @REPLY: <60BAA1C7.50426.sync_sys@vert.synchro.net>
    @TZ: c1e0
    Rob Swindell wrote to GitLab issue in main/sbbs <=-

    open https://gitlab.synchro.net/main/sbbs/-/issues/269

    With Windows NTFS, appending "::$DATA" to a filename is an alternate
    name for accessing a file's contents (data).

    I saw a change to websrvr.c in the commit log - has there been any examples
    of exploits in the wild of this vulnerability, and should we be upgrading sooner rather than later or wait for the bigger picture solution you
    refer to?


    ... Abandon desire
    --- MultiMail/DOS v0.52
    þ Synchronet þ realitycheckBBS -- http://realitycheckBBS.org
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Digital Man@1:103/705 to poindexter FORTRAN on Tue Jun 8 18:13:02 2021
    Re: Re: NTFS Alternate Data Stream vulnerability leaks webctrl.ini content
    By: poindexter FORTRAN to Rob Swindell on Sun Jun 06 2021 10:03 am

    With Windows NTFS, appending "::$DATA" to a filename is an alternate name for accessing a file's contents (data).

    I saw a change to websrvr.c in the commit log - has there been any examples of exploits in the wild of this vulnerability, and should we be upgrading sooner rather than later or wait for the bigger picture solution you
    refer to?

    No, none that I'm aware of. The only vulnerability I imagined was the leaking of the contents of scripts (e.g. .xjs or .ssjs files) and webctrl.ini files. Most sysops probably don't think that stuff is too confidential to work much about.
    --
    digital man

    Sling Blade quote #2:
    Karl (re: killing Doyle): I hit him two good whacks in the head with it.
    Norco, CA WX: 71.0øF, 53.0% humidity, 9 mph NNE wind, 0.00 inches rain/24hrs --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)