I found microsoft server extensions ( vti_pvt)

The service.cnf file was found in the _vti_pvt directory on a system running Microsoft FrontPage Server Extensions. This file contains meta-information about the web server. An attacker could submit a request for the vulnerable file and cause the server to reveal sensitive system information. The attacker could use this information to launch further attacks against the affected host. Recommendations include removing this file from the system if it is not needed, or tightening the default permission settings.

Explanation

With the default permission settings being too lenient, an attacker could submit a GET request to the server for the service.cnf file in the /_vti_pvt/ directory. A successful GET request would cause the host to reveal sensitive system information. The attacker could then use this information to launch further attacks against the affected host.

GET /_vti_pvt/service.cnf HTTP/1.1
Referer: xyz.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept: */*
Pragma: no-cache
Host: xyz.com
X-Scan-Memo: Category=”Audit”; Function=”createStateRequestFromAttackDefinition”; SID=”72D2517010E234E2060E83A6AE5643C7"; PSID=”3B5C6D4258EDE9E2520272F502F91B6B”; SessionType=”AuditAttack”; CrawlType=”None”; AttackType=”Server”; OriginatingEngineID=”3a7ec23a-f5cb-4b05–96a6–1b112f48f417"; AttackSequence=”0"; AttackParamDesc=””; AttackParamIndex=”0"; AttackParamSubIndex=”0"; CheckId=”85"; Engine=”Known”; Retry=”False”; SmartMode=”NonServerSpecificOnly”; ThreadId=”39"; ThreadType=”AuditDBReaderSessionDrivenAudit”;
Connection: Keep-Alive
Cookie: CustomCookie=****************A2CCD6849B0A63D3EFF65615601Y3637;status=yes;username=;userid=;sessionid=;ASPSESSIONIDCARBTACT=MFDJMBECOPCHKADHOLMNBJPL;state=

Photo by Priscilla Du Preez on Unsplash

For Security Operations:

If the file is not needed, remove it from the system. All FrontPage functionality will be lost, and no FrontPage Server Extension features will work, including publishing.

If the file is needed, ensure that the access control list (ACL) does not grant anonymous users access to the service.cnf file. Tighten the default permission settings to prevent unauthorized access to this file. Preventing unauthorized access to the file will prevent sensitive system information from being revealed to potential attackers.

Review the Reference Info section for more information on workarounds.

For Developers:

When building the web application, ensure that the service.cnf file is not publicly available via the production server.

For QA:

During testing, this assessment lists all files and folders in your web application, and details their significance. Ensure that developers are not leaving world-readable *.cnf files publicly available to a potential attacker via your web application.

Tips

A basic requirement for a successful attack upon your web application is reconnaissance. An attacker will employ a variety of methods, including malicious scanning agents and Google searches, to find out as much information about your web application as possible. The attacker can then use that information to formulate the next method of attack. An attacker who discovers sensitive system information has had a large portion of reconnaissance conducted for him or her.

I’m a hacker, but I’m the good kind of hackers. And I’ve never been a criminal.

“Mikko Hypponen”

Blogger | Security Researcher | Digital forensic analyst | Twitter — @mrunal110

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store