Mailing List Archive

I just wrote a NASL for this Bug. Its untested but I hope it works.
The problem was I found no IIS where I could reproduce this error ( I testet
five IIS 4 and IIS 5 Boxes ).
I will improve it when i found a working Box ...

Btw: I also updated the CF Admin Test.


MfG
Felix Huber


-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------


From: "ALife // BERG" <buginfo@inbox.ru>
To: <Bugtraq@securityfocus.com>
Sent: Wednesday, September 19, 2001 11:38 AM
Subject: New vulnerability in IIS4.0/5.0


> -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
>
> Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> -------------------------------------[ security.instock.ru ]--------------
>
> Topic: Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> Announced: 2001-09-19
> Credits: ALife <buginfo@inbox.ru>
> Affects: Microsoft IIS 4.0/5.0
>
> --------------------------------------------------------------------------
>
> ---[. Description
>
> For example, target has a virtual executable directory (e.g.
> "scripts") that is located on the same driver of Windows system.
> Submit request like this:
>
> http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
>
> Directory list of C:\ will be revealed.
>
> Of course, same effect can be achieved by this kind of processing
> to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
> "..%u0025%u005c" ...
>
> Note: Attacker can run commands of IUSR_machinename account privilege
> only.
>
> This is where things go wrong in IIS 4.0 and 5.0, IIS first scans
> the given url for ../ and ..\ and for the normal unicode of these
> strings, if those are found, the string is rejected, if these are
> not found, the string will be decoded and interpreted. Since the filter
> does NOT check for the huge amount of overlong unicode representations
> of ../ and ..\ the filter is bypassed and the directory traversalling
> routine is invoked.
>
> ---[. Workarounds
>
> 1. Delete the executable virtual directory like /scripts etc.
> 2. If executable virtual directory is needed, we suggest you to
> assign a separate local driver for it.
> 3. Move all command-line utilities to another directory that could
> be used by an attacker, and forbid GUEST group access those
> utilities.
>
> ---[. Vendor Status
>
> 2001.09.19 We informed Microsoft of this vulnerability.
>
> ---[ Additional Information
>
> [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
> RFC 2152
> [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646.
> RFC 2279
> [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
> Representation of Distinguished Names.
>
> ---[. DISCLAIMS
>
> THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG)
> "AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL WARRANTIES,
> EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY.
> IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
> DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
> SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
> DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT
> THE ADVISORY IS NOT MODIFIED IN ANY WAY.
>
> -------------------------------------[ security.instock.ru ]--------------
> -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
>
>