Re: New vulnerability in IIS4.0/5.0

[Paul McGovern <isles () sevendust org>]

On Wed, 19 Sep 2001, Dave Ahmad wrote:

| This seems to be just be another way to exploit the double decode
| vulnerability (Bugtraq ID 2708).  There is a possibility that it may be a
| new issue due to the use of '%u' method of encoding.  It does not look
| that way to us.
|
| <snip>
|
| Has anyone managed to exploit a patched system?

Unfortunately, I have. I noticed a few weeks back that our network at
work was periodically getting extremely slow, and after a bit of
investigation utilizing tcpdump, it turned out our NT4 webserver (running
IIS4 with all up-to-date security patches) was being used to pingflood
various hosts with the exact exploit mentioned in the advisory which
started this thread. The IIS logs showed what translated into the
following:

http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+ping+ ...
etc

Baffled, I double-checked to make sure the decode vuln. patch had been
installed, and it was indeed there. After trying to reapply the patch, I
figured IIS just wasn't taking the patch and did a stopgap fix using some
file renaming and guest access permission-removal tricks. The machine in
question is being upgraded to Win2k server very soon anyway, so the
stopgap was good enough for the past few weeks. I suppose my assumption
that there was a problem with our IIS4 installation (causing the hotfix
not to work) may have been incorrect after reading this advisory. Your
mileage may vary :)

--
Paul McGovern
http://isles.krad.org