ISS Alert: IIS URL Decoding Vulnerability

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
[email protected] Contact [email protected] for help with any problems!

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
May 15, 2001

IIS URL Decoding Vulnerability

Synopsis:

A flaw exists in Microsoft Internet Information Server (IIS) that may allow
remote attackers to view directory structures, view and delete files, execute
arbitrary commands, and deny service to the server. It is possible for
attackers to craft URLs that take advantage of a flaw in IIS URL decoding
routines. Security mechanisms within these routines can be bypassed. All
recent versions of IIS are affected by this vulnerability.

Description:

This vulnerability is very similar to the IIS Unicode Translation
Vulnerability described at http://xforce.iss.net/alerts/advise68.php. As
with the Unicode vulnerability, this is a variation of the common "dot
dot" directory traversal attack. Older Web servers were vulnerable to this
attack because the "…" directories in URLs allowed attackers to back out
of the web root directory. This allowed attackers to navigate the file
system or execute commands at will. IIS and most current Web servers have
incorporated security measures to prevent the "dot dot" attack. These
security measures deny all queries to URLs that contain too many leading
slashes or "…" characters. The Unicode vulnerability was a result of
improper handling of Unicode encoded "…" and "/" characters. This new
vulnerability exploits another flaw in the IIS encoding mechanism that
allows a similar result.

When IIS receives a query on a server-side script, it performs a decoding
pass on the request. The string is decoded into canonical form and
numerous security checks are performed to ensure the request is valid. A
second decoding routine is run on the request to parse the parameters
after the filename. IIS mistakenly parses the filename again with these
additional parameters. This flaw allows specially crafted requests which
include "…" and "/" characters to bypass security checks.

All queries are processed under the IUSR_machine context, which is part of
the 'Everyone' and 'Users' group. This provides access to the web
directory and most non-administrative functions. Attackers may not
directly modify or delete files owned by the Administrator, nor run
commands with privilege.

By crafting a request after a virtual directory with execute permissions, it
is possible for an attacker to execute arbitrary commands. Attackers may
then have the ability to manipulate the appearance of the Web site,
download sensitive data, or install backdoor software.

This class of IIS vulnerabilities is well known and lends itself to being
widely exploited by incorporation into worms and automatic scanning tools.

Affected Versions:

Microsoft IIS 4.0
Microsoft IIS 5.0

Older versions of IIS are not vulnerable.

Recommendations:

Please refer to the following Microsoft Bulletins for information on the
patches:

Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787
Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764

ISS RealSecure Intrusion Detection customers may use following
user-defined signature to detect exploitation attempts. Follow the
instructions below to apply the user-defined signature to your policy.

• From the Sensor window:

1. Right-click on the sensor and select 'Properties'.
2. Choose a policy you want to use, and click 'Customize'.
3. Select the 'User Defined Events' tab.
4. Click 'Add' on the right hand side of the dialog box.
5. Create a User Defined Event.
6. Type in a name of the event, such as "IIS URL Decoding Vulnerability".
7. In the 'Context' field for the event, select 'URL_Data'. In the 'String'
   field, type the following string:
   %5c|%2e|%2f
8. Click 'Save', and then 'Close'.
9. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version of
   RealSecure you are using.

This signature detects all publicly known versions of this attack. It looks
for the strings "%5c", "%2e", or "%2f" in a HTTP GET request. These
strings show up in requests that attempt to exploit this vulnerability.
RealSecure decodes all of the escaped characters in the request before
passing it on to the user-defined signatures.

The ISS X-Force will provide additional functionality to detect this
vulnerability in upcoming X-Press Updates for RealSecure and System
Scanner.

Additional Information:

Please refer to the Microsoft Security Bulletin on this vulnerability:
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2001-0333 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security
problems.

---

About Internet Security Systems (ISS)

Internet Security Systems, Inc. is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed security
services, and strategic consulting and education offerings, ISS is a
trusted security provider to more than 8,000 customers worldwide including
21 of the 25 largest U.S. commercial banks and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and the
Middle East. For more information, visit the Internet Security Systems
web site at www.iss.net or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail [email protected]
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOwF54zRfJiV99eG9AQH92wP+OiuSNiS8RjtzxITB7kCTrzsQbatpFNwQ
e/DfDd6m7HKqcyW2XRHKspRdMJpfQYOv2IZ32+Wxnctbir7qO/leeSOtZZmpxrGZ
ateXoWFMcdqYN8A3V6MzumK0qxXWQeXnJZysGJiYsWxZfnIpBdopV5KE5ZUBYFRE
vJB3buUg5uU=
=pj+e
-----END PGP SIGNATURE-----