RE: New vulnerability in IIS4.0/5.0

From: Matt Moore (mattat_private)
Date: Wed Sep 19 2001 - 09:44:33 PDT

  • Next message: Renaud Deraison: "Re: Fw: New vulnerability in IIS4.0/5.0"

    I can't reproduce this bug either - tested on a few servers (including some
    patched / unpatched for other dir traversal exploits.) I didn't bother to
    write a script for it, just tried it manually from a browser.
    
    This may be a hoax? Also, someone just sent a advisory and 'exploit' for
    wu-ftpd to vuln-dev, which apparently trashes your Hard drive..
    
    anyone get this IIS exploit to work?
    
    Matt
    
    
    
    > -----Original Message-----
    > From: owner-plugins-writersat_private
    > [mailto:owner-plugins-writersat_private]On Behalf Of Felix Huber
    > Sent: 19 September 2001 17:29
    > To: Renaud Deraison
    > Cc: plugins-writersat_private; nessus-develat_private
    > Subject: Fw: New vulnerability in IIS4.0/5.0
    >
    >
    > I just wrote a NASL for this Bug. Its untested but I hope it works.
    > The problem was I found no IIS where I could reproduce this error
    > ( I testet
    > five IIS 4 and IIS 5 Boxes ).
    > I will improve it when i found a working Box ...
    >
    > Btw: I also updated the CF Admin Test.
    >
    >
    > MfG
    > Felix Huber
    >
    >
    > -------------------------------------------------------
    > Felix Huber, Security Consultant, Webtopia
    > Guendlinger Str.2, 79241 Ihringen - Germany
    > huberfelixat_private     (07668)  951 156 (phone)
    > http://www.webtopia.de     (07668)  951 157 (fax)
    >                                          (01792)  205 724 (mobile)
    > -------------------------------------------------------
    >
    >
    > From: "ALife // BERG" <buginfoat_private>
    > To: <Bugtraqat_private>
    > Sent: Wednesday, September 19, 2001 11:38 AM
    > Subject: New vulnerability in IIS4.0/5.0
    >
    >
    > > -----[ Bright Eyes Research Group | Advisory # be00001e
    > ]-----------------
    > >
    > >              Remote users can execute any command on several
    > >                IIS 4.0 and 5.0 systems by using UTF codes
    > >
    > > -------------------------------------[ security.instock.ru
    > ]--------------
    > >
    > > Topic:              Remote users can execute any command on several
    > >                     IIS 4.0 and 5.0 systems by using UTF codes
    > >
    > > Announced:          2001-09-19
    > > Credits:            ALife <buginfoat_private>
    > > Affects:            Microsoft IIS 4.0/5.0
    > >
    > >
    > --------------------------------------------------------------------------
    > >
    > > ---[ Description
    > >
    > >      For  example, target has a virtual executable directory (e.g.
    > > "scripts") that is located on the same driver of Windows system.
    > > Submit request like this:
    > >
    > > http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
    > >
    > > Directory list of C:\ will be revealed.
    > >
    > > Of course, same effect can be achieved by this kind of  processing
    > > to  '/'  and  '.'. For  example:  "..%u002f", ".%u002e/", "..%u00255c",
    > > "..%u0025%u005c" ...
    > >
    > > Note: Attacker can run commands of IUSR_machinename account privilege
    > >       only.
    > >
    > >      This is where things go wrong in IIS 4.0 and 5.0, IIS  first scans
    > > the given url for ../  and  ..\ and  for  the normal unicode  of  these
    > > strings, if those  are  found, the  string  is  rejected, if these  are
    > > not found, the string will be decoded and interpreted. Since the filter
    > > does NOT check  for the huge amount of overlong unicode representations
    > > of ../ and ..\ the filter is bypassed and the  directory  traversalling
    > > routine is invoked.
    > >
    > > ---[ Workarounds
    > >
    > >      1. Delete the  executable virtual directory like /scripts etc.
    > >      2. If executable  virtual directory is  needed, we suggest  you to
    > >         assign a separate local driver for it.
    > >      3. Move all command-line utilities to another directory that could
    > >         be used  by an  attacker, and  forbid GUEST  group access those
    > >         utilities.
    > >
    > > ---[ Vendor Status
    > >
    > >      2001.09.19  We informed Microsoft of this vulnerability.
    > >
    > > ---[ Additional Information
    > >
    > >  [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
    > >      RFC 2152
    > >  [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646.
    > >      RFC 2279
    > >  [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
    > >               Representation of Distinguished Names.
    > >
    > > ---[ DISCLAIMS
    > >
    > > THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH
    > GROUP (BERG)
    > > "AS IS" WITHOUT  WARRANTY  OF ANY KIND. BERG  DISCLAIMS  ALL
    > WARRANTIES,
    > > EITHER EXPRESS OR IMPLIED, EXCEPT FOR  THE WARRANTIES OF
    > MERCHANTABILITY.
    > > IN NO EVENTSHALL BERG BE LIABLE  FOR  ANY  DAMAGES  WHATSOEVER INCLUDING
    > > DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
    > > SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE
    > POSSIBILITY OF SUCH
    > > DAMAGES. DISTRIBUTION  OR REPRODUTION OF THE INFORMATION IS
    > PROVIDED THAT
    > > THE ADVISORY IS NOT MODIFIED IN ANY WAY.
    > >
    > > -------------------------------------[ security.instock.ru
    > ]--------------
    > > -----[ Bright Eyes Research Group | Advisory # be00001e
    > ]-----------------
    > >
    > >
    >
    



    This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 09:44:28 PDT