Security: Why might a GET on /_vti_bin/shtml.exe/_vti_rpc return a 200 response?

[Flint G]

I've been practicing with nikto against a NetTalk web server, trying to expand on recent training.  The tool reports a number of informational items, one of which is this:

Code: [Select]

OSVDB-28260: POST /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611: Gives info about server settings.
If I replay the request through a proxy (I used Burpsuite Pro), the request looks like this:

Code: [Select]

GET /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1
Connection: close
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:002763)
Host: [redacted: IP]
The response looks like this:

Code: [Select]

HTTP/1.1 200 OK
Date: Fri, 23 Jun 2017 04:28:33 GMT
Server: NetTalk-WebServer/8.31
Expires: Thu, 23 Jun 2016 04:28:33 GMT
Content-Length: 41
Content-Type: application/json
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=[redacted]; path=/; HttpOnly
Connection: close
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

[redacted: return data]
A similar request does the same thing:

Code: [Select]

POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
Connection: close
Content-Length: 57
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003486)
Content-Type: application/x-www-form-urlencoded
Host: [redacted: IP]

method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f
Response:

Code: [Select]

HTTP/1.1 200 OK
Date: Fri, 23 Jun 2017 03:24:47 GMT
Server: NetTalk-WebServer/8.31
Expires: Thu, 23 Jun 2016 03:24:47 GMT
Content-Length: 41
Content-Type: application/json
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=[redacted]; path=/; HttpOnly
Connection: close
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

[redacted: return data]
The resources /_vti_bin/shtml.dll/_vti_rpc and /_vti_bin/shtml.exe/_vti_rpc certainly do not exist, and I would have expected a 404 response.

[Bruce]

I would also expect a 404 response.
So, I guess, it must be finding something somewhere.

The place I'd start looking is in WebHandler, _SendFile method.
Perhaps there is embed code there?
It basically travels through there looking for some way to server the file, so first thing to check is if it gets to the parent call.

All the "app" stuff happens before the parent call - so see if it makes it to the parent call.
If it does then inspect netweb.clw, and especially the call there to readfile.
Somewhere it's finding something to reply to - but where and how I don't know.

For what it's worth I did run it here against an example app and did get a 404.

cheers
Bruce