Everhart,Glenn
From:	L1TCHFIELD [L1TCHFIELD@aol.com]
Sent:	Wednesday, April 15, 1998 6:03 PM
To:	ntsecurity@iss.net
Subject:	[NTSEC] wguest.exe - view any text-based file

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------


I have recently discovered a bug in wguest.exe that can allow any remote
attacker to view any text based file on your computer :

wguest.exe is a CGI script designed by Webcom Datakommunikation , a Swedish
based company, that allows users to sign a guestbook. A search on Altavista
shows 103 servers have this program...there are obviously many more thatn
this. The web page form from where you add your information has a number of
"hidden" input types. One of these is as follows :

input type="hidden" name="template"
value="c:\inetpub\wwwroot\gb\template.htm">

or

input type="hidden" name="template" value="/gb/template.htm">

Template.htm here is the file that will be displayed by wguest.exe after the
user has entered his information.

To exploit this an attacker views the source and saves the document to his
desktop and edits this line by changing the path to whatever file he wants to
view 

eg . input type="hidden" name="template"
value="c:\winnt\system32\$winnt$.inf">

          (If an unattended install was done the admin password can be gleaned
from 
           this file.)

He then clicks on "Submit" and then wguest.exe will display this file. Note ~
sam._ in the winnt\repair directory cannot be viewed or downloaded exploiting
this. I don't know about pwl files...however the attacker must know the exact
path of the file he wishes to view.

l8r
David Litchfield