Re: NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability

From: Nsfocus Security Team (securityat_private)
Date: Thu May 17 2001 - 04:29:24 PDT

Next message: Casper Dik: "Re: Solaris /usr/bin/mailx exploit (SPARC)"

Previous message: Peter Gründl: "def-2001-26: IIS WebDav Lock Method Memory Leak DoS"
Maybe in reply to: Nsfocus Security Team: "NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi -

Here we want to explain why exploitation of this vulnerability fails in 
some cases.

The vulnerability exists in both IIS 4.0 and IIS 5.0, but exploitation
of it would fail for some factors.

1. Why NT 4 SP6(SP6a) is not affected?

   That's because SP6(a) will perform a check for the existence of 
   requested file after the first decoding. Attack will fail for files
   like 
   C:\interpub\scripts\..%5c..%5c..%5cwinnt\system\cmd.exe
   don not actually exist.
   
   But this check of SP6 seems to be just a temporary fix to address
   some certain vulnerability. And it was removed in some following 
   hotfixes.
   Thus, if you have only applied SP6(a) for your NT 4, you would not be
   affected by this vulnerability.

2. Will systems with patch provided by MS00-078(MS00-057) be affected?

   MS00-078 and MS00-057 provide the same patch, which will perform a
   check of filename for ".\" and "./" after the first decoding. In case
   that such characters exist, request would be denied. Thus, it only 
   casually addresses UNICODE vulnerability. By covering "./" or ".\" after 
   the first decoding, an attacker can still successfully make use of 
   "Decoding error" vulnerability.
   
   For example:

   "..%255c..%255cwinnt/system32/cmd.exe"
   will be converted into 
   "..%5c..%5cwinnt/system32/cmd.exe"
   after the first decoding. Thus the request can bypass the security 
   check.

   But
   "..%255c../winnt/system32/cmd.exe"
   will be converted into 
   "..%5c../winnt/system32/cmd.exe"
   after the first decoding. Thus the attack fails since the decoded 
   name contains  './'.

3. Will systems with patch provided by MS00-086 be affected?

   The patch provided by MS00-086 successfully addressed the UNICODE
   vulnerability.
   
   But Microsoft has updated the patches for some times. First versions
   will provide filename check for some dangerous characters like '%'
   or '"' after the first decoding. Thus, you will not be affected 
   by "Decoding error" vulnerability if you apply these versions.
   But Microsoft remove the check again in the final version of the 
   patch, apply which will make your system affected.



Regards,
Nsfocus Security Team <securityat_private>
http://www.nsfocus.com

Next message: Casper Dik: "Re: Solaris /usr/bin/mailx exploit (SPARC)"
Previous message: Peter Gründl: "def-2001-26: IIS WebDav Lock Method Memory Leak DoS"
Maybe in reply to: Nsfocus Security Team: "NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 17 2001 - 06:53:47 PDT