[20691] in bugtraq
Re: NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability
daemon@ATHENA.MIT.EDU (Nsfocus Security Team)
Thu May 17 09:53:38 2001
Message-Id: <200105171127.f4HBRmL23391@gateway.nsfocus.com>
Date: Thu, 17 May 2001 19:29:24 +0800
From: Nsfocus Security Team <security@nsfocus.com>
To: "BUGTRAQ@securityfocus.com" <BUGTRAQ@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi -
Here we want to explain why exploitation of this vulnerability fails in
some cases.
The vulnerability exists in both IIS 4.0 and IIS 5.0, but exploitation
of it would fail for some factors.
1. Why NT 4 SP6(SP6a) is not affected?
That's because SP6(a) will perform a check for the existence of
requested file after the first decoding. Attack will fail for files
like
C:\interpub\scripts\..%5c..%5c..%5cwinnt\system\cmd.exe
don not actually exist.
But this check of SP6 seems to be just a temporary fix to address
some certain vulnerability. And it was removed in some following
hotfixes.
Thus, if you have only applied SP6(a) for your NT 4, you would not be
affected by this vulnerability.
2. Will systems with patch provided by MS00-078(MS00-057) be affected?
MS00-078 and MS00-057 provide the same patch, which will perform a
check of filename for ".\" and "./" after the first decoding. In case
that such characters exist, request would be denied. Thus, it only
casually addresses UNICODE vulnerability. By covering "./" or ".\" after
the first decoding, an attacker can still successfully make use of
"Decoding error" vulnerability.
For example:
"..%255c..%255cwinnt/system32/cmd.exe"
will be converted into
"..%5c..%5cwinnt/system32/cmd.exe"
after the first decoding. Thus the request can bypass the security
check.
But
"..%255c../winnt/system32/cmd.exe"
will be converted into
"..%5c../winnt/system32/cmd.exe"
after the first decoding. Thus the attack fails since the decoded
name contains './'.
3. Will systems with patch provided by MS00-086 be affected?
The patch provided by MS00-086 successfully addressed the UNICODE
vulnerability.
But Microsoft has updated the patches for some times. First versions
will provide filename check for some dangerous characters like '%'
or '"' after the first decoding. Thus, you will not be affected
by "Decoding error" vulnerability if you apply these versions.
But Microsoft remove the check again in the final version of the
patch, apply which will make your system affected.
Regards,
Nsfocus Security Team <security@nsfocus.com>
http://www.nsfocus.com
