I just wrote a NASL for this Bug. Its untested but I hope it works. The problem was I found no IIS where I could reproduce this error ( I testet five IIS 4 and IIS 5 Boxes ). I will improve it when i found a working Box ... Btw: I also updated the CF Admin Test. MfG Felix Huber ------------------------------------------------------- Felix Huber, Security Consultant, Webtopia Guendlinger Str.2, 79241 Ihringen - Germany huberfelixat_private (07668) 951 156 (phone) http://www.webtopia.de (07668) 951 157 (fax) (01792) 205 724 (mobile) ------------------------------------------------------- From: "ALife // BERG" <buginfoat_private> To: <Bugtraqat_private> Sent: Wednesday, September 19, 2001 11:38 AM Subject: New vulnerability in IIS4.0/5.0 > -----[ Bright Eyes Research Group | Advisory # be00001e ]----------------- > > Remote users can execute any command on several > IIS 4.0 and 5.0 systems by using UTF codes > > -------------------------------------[ security.instock.ru ]-------------- > > Topic: Remote users can execute any command on several > IIS 4.0 and 5.0 systems by using UTF codes > > Announced: 2001-09-19 > Credits: ALife <buginfoat_private> > Affects: Microsoft IIS 4.0/5.0 > > -------------------------------------------------------------------------- > > ---[ Description > > For example, target has a virtual executable directory (e.g. > "scripts") that is located on the same driver of Windows system. > Submit request like this: > > http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\ > > Directory list of C:\ will be revealed. > > Of course, same effect can be achieved by this kind of processing > to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c", > "..%u0025%u005c" ... > > Note: Attacker can run commands of IUSR_machinename account privilege > only. > > This is where things go wrong in IIS 4.0 and 5.0, IIS first scans > the given url for ../ and ..\ and for the normal unicode of these > strings, if those are found, the string is rejected, if these are > not found, the string will be decoded and interpreted. Since the filter > does NOT check for the huge amount of overlong unicode representations > of ../ and ..\ the filter is bypassed and the directory traversalling > routine is invoked. > > ---[ Workarounds > > 1. Delete the executable virtual directory like /scripts etc. > 2. If executable virtual directory is needed, we suggest you to > assign a separate local driver for it. > 3. Move all command-line utilities to another directory that could > be used by an attacker, and forbid GUEST group access those > utilities. > > ---[ Vendor Status > > 2001.09.19 We informed Microsoft of this vulnerability. > > ---[ Additional Information > > [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode. > RFC 2152 > [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646. > RFC 2279 > [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String > Representation of Distinguished Names. > > ---[ DISCLAIMS > > THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG) > "AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL WARRANTIES, > EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. > IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING > DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR > SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH > DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT > THE ADVISORY IS NOT MODIFIED IN ANY WAY. > > -------------------------------------[ security.instock.ru ]-------------- > -----[ Bright Eyes Research Group | Advisory # be00001e ]----------------- > >
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 09:29:29 PDT