[22681] in bugtraq
New vulnerability in IIS4.0/5.0
daemon@ATHENA.MIT.EDU (ALife // BERG)
Wed Sep 19 12:05:45 2001
From: "ALife // BERG" <buginfo@inbox.ru>
To: Bugtraq@securityfocus.com
Mime-Version: 1.0
Date: Wed, 19 Sep 2001 09:38:16 +0000 (GMT)
Reply-To: "ALife // BERG" <buginfo@inbox.ru>
Content-Type: multipart/mixed;
boundary="----JsXqPYrC-XAEDOCgb6EEtUQ23:1000892296"
Message-Id: <E15jdo8-000NZy-00@f12.port.ru>
------JsXqPYrC-XAEDOCgb6EEtUQ23:1000892296
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
-----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
Remote users can execute any command on several
IIS 4.0 and 5.0 systems by using UTF codes
-------------------------------------[ security.instock.ru ]--------------
Topic: Remote users can execute any command on several
IIS 4.0 and 5.0 systems by using UTF codes
Announced: 2001-09-19
Credits: ALife <buginfo@inbox.ru>
Affects: Microsoft IIS 4.0/5.0
--------------------------------------------------------------------------
---[ Description
For example, target has a virtual executable directory (e.g.
"scripts") that is located on the same driver of Windows system.
Submit request like this:
http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
Directory list of C:\ will be revealed.
Of course, same effect can be achieved by this kind of processing
to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
"..%u0025%u005c" ...
Note: Attacker can run commands of IUSR_machinename account privilege
only.
This is where things go wrong in IIS 4.0 and 5.0, IIS first scans
the given url for ../ and ..\ and for the normal unicode of these
strings, if those are found, the string is rejected, if these are
not found, the string will be decoded and interpreted. Since the filter
does NOT check for the huge amount of overlong unicode representations
of ../ and ..\ the filter is bypassed and the directory traversalling
routine is invoked.
---[ Workarounds
1. Delete the executable virtual directory like /scripts etc.
2. If executable virtual directory is needed, we suggest you to
assign a separate local driver for it.
3. Move all command-line utilities to another directory that could
be used by an attacker, and forbid GUEST group access those
utilities.
---[ Vendor Status
2001.09.19 We informed Microsoft of this vulnerability.
---[ Additional Information
[1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
RFC 2152
[2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646.
RFC 2279
[3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
Representation of Distinguished Names.
---[ DISCLAIMS
THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG)
"AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY.
IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT
THE ADVISORY IS NOT MODIFIED IN ANY WAY.
-------------------------------------[ security.instock.ru ]--------------
-----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
------JsXqPYrC-XAEDOCgb6EEtUQ23:1000892296
Content-Type: text/plain; name="be00001e.txt"
Content-Disposition: attachment; filename="be00001e.txt"
Content-Transfer-Encoding: base64
LS0tLS1bIEJyaWdodCBFeWVzIFJlc2VhcmNoIEdyb3VwIHwgQWR2aXNvcnkgIyBiZTAwMDAxZSBd
LS0tLS0tLS0tLS0tLS0tLS0NCg0KICAgICAgICAgICAgIFJlbW90ZSB1c2VycyBjYW4gZXhlY3V0
ZSBhbnkgY29tbWFuZCBvbiBzZXZlcmFsDQogICAgICAgICAgICAgICBJSVMgNC4wIGFuZCA1LjAg
c3lzdGVtcyBieSB1c2luZyBVVEYgY29kZXMNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLVsgc2VjdXJpdHkuaW5zdG9jay5ydSBdLS0tLS0tLS0tLS0tLS0NCg0KVG9waWM6
ICAgICAgICAgICAgICBSZW1vdGUgdXNlcnMgY2FuIGV4ZWN1dGUgYW55IGNvbW1hbmQgb24gc2V2
ZXJhbA0KICAgICAgICAgICAgICAgICAgICBJSVMgNC4wIGFuZCA1LjAgc3lzdGVtcyBieSB1c2lu
ZyBVVEYgY29kZXMNCg0KQW5ub3VuY2VkOiAgICAgICAgICAyMDAxLTA5LTE5DQpDcmVkaXRzOiAg
ICAgICAgICAgIEFMaWZlIDxidWdpbmZvQGluYm94LnJ1Pg0KQWZmZWN0czogICAgICAgICAgICBN
aWNyb3NvZnQgSUlTIDQuMC81LjANCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KLS0tWyBEZXNjcmlw
dGlvbg0KDQogICAgIEZvciAgZXhhbXBsZSwgdGFyZ2V0IGhhcyBhIHZpcnR1YWwgZXhlY3V0YWJs
ZSBkaXJlY3RvcnkgKGUuZy4NCiJzY3JpcHRzIikgdGhhdCBpcyBsb2NhdGVkIG9uIHRoZSBzYW1l
IGRyaXZlciBvZiBXaW5kb3dzIHN5c3RlbS4NClN1Ym1pdCByZXF1ZXN0IGxpa2UgdGhpczoNCg0K
aHR0cDovL3RhcmdldC9zY3JpcHRzLy4uJXUwMDVjLi4ldTAwNWN3aW5udC9zeXN0ZW0zMi9jbWQu
ZXhlPy9jK2RpcitjOlwNCg0KRGlyZWN0b3J5IGxpc3Qgb2YgQzpcIHdpbGwgYmUgcmV2ZWFsZWQu
DQoNCk9mIGNvdXJzZSwgc2FtZSBlZmZlY3QgY2FuIGJlIGFjaGlldmVkIGJ5IHRoaXMga2luZCBv
ZiAgcHJvY2Vzc2luZw0KdG8gICcvJyAgYW5kICAnLicuIEZvciAgZXhhbXBsZTogICIuLiV1MDAy
ZiIsICIuJXUwMDJlLyIsICIuLiV1MDAyNTVjIiwNCiIuLiV1MDAyNSV1MDA1YyIgLi4uDQoNCk5v
dGU6IEF0dGFja2VyIGNhbiBydW4gY29tbWFuZHMgb2YgSVVTUl9tYWNoaW5lbmFtZSBhY2NvdW50
IHByaXZpbGVnZQ0KICAgICAgb25seS4NCg0KICAgICBUaGlzIGlzIHdoZXJlIHRoaW5ncyBnbyB3
cm9uZyBpbiBJSVMgNC4wIGFuZCA1LjAsIElJUyAgZmlyc3Qgc2NhbnMNCnRoZSBnaXZlbiB1cmwg
Zm9yIC4uLyAgYW5kICAuLlwgYW5kICBmb3IgIHRoZSBub3JtYWwgdW5pY29kZSAgb2YgIHRoZXNl
DQpzdHJpbmdzLCBpZiB0aG9zZSAgYXJlICBmb3VuZCwgdGhlICBzdHJpbmcgIGlzICByZWplY3Rl
ZCwgaWYgdGhlc2UgIGFyZQ0Kbm90IGZvdW5kLCB0aGUgc3RyaW5nIHdpbGwgYmUgZGVjb2RlZCBh
bmQgaW50ZXJwcmV0ZWQuIFNpbmNlIHRoZSBmaWx0ZXINCmRvZXMgTk9UIGNoZWNrICBmb3IgdGhl
IGh1Z2UgYW1vdW50IG9mIG92ZXJsb25nIHVuaWNvZGUgcmVwcmVzZW50YXRpb25zDQpvZiAuLi8g
YW5kIC4uXCB0aGUgZmlsdGVyIGlzIGJ5cGFzc2VkIGFuZCB0aGUgIGRpcmVjdG9yeSAgdHJhdmVy
c2FsbGluZw0Kcm91dGluZSBpcyBpbnZva2VkLg0KDQotLS1bIFdvcmthcm91bmRzDQoNCiAgICAg
MS4gRGVsZXRlIHRoZSAgZXhlY3V0YWJsZSB2aXJ0dWFsIGRpcmVjdG9yeSBsaWtlIC9zY3JpcHRz
IGV0Yy4NCiAgICAgMi4gSWYgZXhlY3V0YWJsZSAgdmlydHVhbCBkaXJlY3RvcnkgaXMgIG5lZWRl
ZCwgd2Ugc3VnZ2VzdCAgeW91IHRvDQogICAgICAgIGFzc2lnbiBhIHNlcGFyYXRlIGxvY2FsIGRy
aXZlciBmb3IgaXQuDQogICAgIDMuIE1vdmUgYWxsIGNvbW1hbmQtbGluZSB1dGlsaXRpZXMgdG8g
YW5vdGhlciBkaXJlY3RvcnkgdGhhdCBjb3VsZA0KICAgICAgICBiZSB1c2VkICBieSBhbiAgYXR0
YWNrZXIsIGFuZCAgZm9yYmlkIEdVRVNUICBncm91cCBhY2Nlc3MgdGhvc2UNCiAgICAgICAgdXRp
bGl0aWVzLg0KDQotLS1bIFZlbmRvciBTdGF0dXMNCg0KICAgICAyMDAxLjA5LjE5ICBXZSBpbmZv
cm1lZCBNaWNyb3NvZnQgb2YgdGhpcyB2dWxuZXJhYmlsaXR5Lg0KDQotLS1bIEFkZGl0aW9uYWwg
SW5mb3JtYXRpb24NCg0KIFsxXSBSRkMgMTY0MiBVVEYtNyAtIEEgTWFpbC1TYWZlIFRyYW5zZm9y
bWF0aW9uIEZvcm1hdCBvZiBVbmljb2RlLg0KICAgICBSRkMgMjE1Mg0KIFsyXSBSRkMgMjA0NCBV
VEYtOCwgYSB0cmFuc2Zvcm1hdGlvbiBmb3JtYXQgb2YgVW5pY29kZSBhbmQgSVNPIDEwNjQ2Lg0K
ICAgICBSRkMgMjI3OQ0KIFszXSBSRkMgMjI1MyBMaWdodHdlaWdodCBEaXJlY3RvcnkgQWNjZXNz
IFByb3RvY29sICh2Myk6IFVURi04IFN0cmluZw0KICAgICAgICAgICAgICBSZXByZXNlbnRhdGlv
biBvZiBEaXN0aW5ndWlzaGVkIE5hbWVzLg0KDQotLS1bIERJU0NMQUlNUw0KDQpUSEUgSU5GT1JN
QVRJT04gUFJPVklERUQgSVMgUkVMRUFTRUQgQlkgQlJJR0hUIEVZRVMgUkVTRUFSQ0ggR1JPVVAg
KEJFUkcpDQoiQVMgSVMiIFdJVEhPVVQgIFdBUlJBTlRZICBPRiBBTlkgS0lORC4gQkVSRyAgRElT
Q0xBSU1TICBBTEwgIFdBUlJBTlRJRVMsDQpFSVRIRVIgRVhQUkVTUyBPUiBJTVBMSUVELCBFWENF
UFQgRk9SICBUSEUgV0FSUkFOVElFUyBPRiBNRVJDSEFOVEFCSUxJVFkuDQpJTiBOTyBFVkVOVFNI
QUxMIEJFUkcgQkUgTElBQkxFICBGT1IgIEFOWSAgREFNQUdFUyAgV0hBVFNPRVZFUiBJTkNMVURJ
TkcNCkRJUkVDVCwgSU5ESVJFQ1QsIElOQ0lERU5UQUwsIENPTlNFUVVFTlRJQUwsIExPU1MgT0Yg
QlVTSU5FU1MgUFJPRklUUyBPUg0KU1BFQ0lBTCBEQU1BR0VTLCBFVkVOIElGIEJFUkcgSEFTIEJF
RU4gQURWSVNFRCBPRiBUSEUgUE9TU0lCSUxJVFkgT0YgU1VDSA0KREFNQUdFUy4gRElTVFJJQlVU
SU9OICBPUiBSRVBST0RVVElPTiBPRiBUSEUgSU5GT1JNQVRJT04gSVMgUFJPVklERUQgVEhBVA0K
VEhFIEFEVklTT1JZIElTIE5PVCBNT0RJRklFRCBJTiBBTlkgV0FZLg0KDQotLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tWyBzZWN1cml0eS5pbnN0b2NrLnJ1IF0tLS0tLS0tLS0t
LS0tLQ0KLS0tLS1bIEJyaWdodCBFeWVzIFJlc2VhcmNoIEdyb3VwIHwgQWR2aXNvcnkgIyBiZTAw
MDAxZSBdLS0tLS0tLS0tLS0tLS0tLS0NCg==
------JsXqPYrC-XAEDOCgb6EEtUQ23:1000892296--
