Hi - Here we want to explain why exploitation of this vulnerability fails in some cases. The vulnerability exists in both IIS 4.0 and IIS 5.0, but exploitation of it would fail for some factors. 1. Why NT 4 SP6(SP6a) is not affected? That's because SP6(a) will perform a check for the existence of requested file after the first decoding. Attack will fail for files like C:\interpub\scripts\..%5c..%5c..%5cwinnt\system\cmd.exe don not actually exist. But this check of SP6 seems to be just a temporary fix to address some certain vulnerability. And it was removed in some following hotfixes. Thus, if you have only applied SP6(a) for your NT 4, you would not be affected by this vulnerability. 2. Will systems with patch provided by MS00-078(MS00-057) be affected? MS00-078 and MS00-057 provide the same patch, which will perform a check of filename for ".\" and "./" after the first decoding. In case that such characters exist, request would be denied. Thus, it only casually addresses UNICODE vulnerability. By covering "./" or ".\" after the first decoding, an attacker can still successfully make use of "Decoding error" vulnerability. For example: "..%255c..%255cwinnt/system32/cmd.exe" will be converted into "..%5c..%5cwinnt/system32/cmd.exe" after the first decoding. Thus the request can bypass the security check. But "..%255c../winnt/system32/cmd.exe" will be converted into "..%5c../winnt/system32/cmd.exe" after the first decoding. Thus the attack fails since the decoded name contains './'. 3. Will systems with patch provided by MS00-086 be affected? The patch provided by MS00-086 successfully addressed the UNICODE vulnerability. But Microsoft has updated the patches for some times. First versions will provide filename check for some dangerous characters like '%' or '"' after the first decoding. Thus, you will not be affected by "Decoding error" vulnerability if you apply these versions. But Microsoft remove the check again in the final version of the patch, apply which will make your system affected. Regards, Nsfocus Security Team <securityat_private> http://www.nsfocus.com
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 06:53:47 PDT