Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1611
HistoryMay 15, 2001 - 12:00 a.m.

NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability

2001-05-1500:00:00
vulners.com
52
JSON

NSFBUGTRAQOCUS Security Advisory(SA2001-02)

Topic: Microsoft IIS CGI Filename Decode Error Vulnerability

Release DateЈє 2001-5-15

CVE Candidate Numbers: CAN-2001-0333
BUGTRAQ ID : 2708

Affected system:

  • Microsoft IIS 4.0
  • Microsoft IIS 5.0

Not affected system:

  • Microsoft IIS 4.0
    • Microsoft Windows NT 4 + SP6/SP6a(without any new hotfix)

Impact:

NSFOCUS Security Team has found a vulnerability in filename processing
of CGI program in MS IIS4.0/5.0. CGI filename is decoded twice by error.
Exploitation of this vulnerability, intruder may run arbitrary system
command.

DescriptionЈє

When loading executable CGI program, IIS will decode twice. First, CGI
filename will be decoded to check if it is an executable file (for
example, '.exe' or '.com' suffix check-up). Successfully passing the
filename check-up, IIS will run another decode process.
Normally, only CGI parameters should be decoded in this process. But
this time IIS mistakenly decodes both CGI parameters and the decoded
CGI filename. In this way, CGI filename is decoded twice by error.

With a malformed CGI filename, attacker can get round IIS filename
security check-ups like '…/' or './' check-up. In some cases, attacker
can run arbitrary system command.

For example, a character '\' will be encoded to "%5c". And the corresponding
code of these 3 characters is:
'%' = %25
'5' = %35
'c' = %63

encode this 3 characters for another time, we can get many results such as:
%255c
%%35c
%%35%63
%25%35%63

Thereby, '…\' can be represented by '…%255c' and '…%%35c', etc.
After first decoding, '…%255c' is turned into '…%5c'. IIS will take it as a
legal character string that can pass security check-up. But after a second
decode process, it will be reverted to '…\'. Hence, attacker can use '…\'
to carry out directory traversal and run arbitrary program outside of Web
directory.

Exploit:

For example, TARGET has a virtual executable directory (e.g. "scripts")
that is located on the same driver of Windows system. Submit request like
this:

http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

Directory list of C:\ will be revealed.

Of course, same effect can be achieved by this kind of processing to '/'
and '.'.
For example: "…%252f", ".%252e/"…

Note: Attacker can run commands of IUSER_machinename account privilege only.

Workaround:

1ЎўIf executable CGI is not integrant, delete the executable virtual
directory like /scripts etc.
2ЎўIf executable virtual directory is needed, we suggest you to assign a
separate local driver for it.
3ЎўMove all command-line utilities to another directory that could be used
by an attacker, and forbid GUEST group access those utilities.

Vendor Status:

2001.3.27 We informed Microsoft of this vulnerability.
2001.4.01 Microsoft replied that the bug has been reproduced.
2001.4.16 Microsoft supplied private patches for testing and the
problem had been solved.
2001.4.23 For further testing, Microsoft requested us to hold off the
release of the advisory for 2 weeks.
2001.4.30 Microsoft informed us that we should put off the release
for another week.
2001.5.14 Microsoft has released one security bulletin(MS01-026)
concerning this flaw.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

Patches are available at:

Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787

Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0333 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.

NSFOCUS Security Team <[email protected]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

Related

securityvulns 2
canvas 1
saint 4
cve 1
cert 1
packetstorm 2
nessus 1
openvas 2
securityvulns
securityvulns
Advisory CA-2001-12
2001-05-16 00:00:00
ISS Alert: IIS URL Decoding Vulnerability
2001-05-16 00:00:00
canvas
canvas
Immunity Canvas: IIS_DOUBLEDECODE
2001-06-27 04:00:00
saint
saint
IIS Double Decoding Directory Traversal
2005-11-28 00:00:00
IIS Double Decoding Directory Traversal
2005-11-28 00:00:00
IIS Double Decoding Directory Traversal
2005-11-28 00:00:00
cve
cve
CVE-2001-0333
2001-06-27 04:00:00
cert
cert
IIS decodes filenames superfluously after applying security checks
2001-05-15 00:00:00
packetstorm
packetstorm
sa2001_02.txt
2001-05-17 00:00:00
Microsoft IIS/PWS CGI Filename Double Decode Command Execution
2010-05-26 00:00:00
nessus
nessus
MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)
2001-05-15 00:00:00
openvas
openvas
IIS Remote Command Execution
2005-11-03 00:00:00
Microsoft IIS Remote Command Execution (MS01-026/MS01-044) - Active Check
2005-11-03 00:00:00
JSON
Related for SECURITYVULNS:DOC:1611
securityvulns2canvas1saint4cve1cert1packetstorm2nessus1openvas2