[22691] in bugtraq
RE: New vulnerability in IIS4.0/5.0
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Thu Sep 20 14:24:21 2001
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_001_01C14179.AB78B99D"
Date: Wed, 19 Sep 2001 19:12:16 -0700
Message-ID: <C10F7F33B880B248BCC47DB44673884703C42BA9@red-msg-07.redmond.corp.microsoft.com>
From: "Microsoft Security Response Center" <secure@microsoft.com>
To: "ALife // BERG" <buginfo@inbox.ru>, <Bugtraq@securityfocus.com>
Cc: "Microsoft Security Response Center" <secure@microsoft.com>
------_=_NextPart_001_01C14179.AB78B99D
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
We've investigated this report, but it appears to be a false alarm.=20
We have been unable to reproduce any of the claims on IIS 4.0 or 5.0
with the latest cumulative patch applied
(http://www.microsoft.com/technet/security/bulletin/MS01-044.asp), or
on the latest beta version of IIS 5.1. The results from other
security organizations are the same -- none report any ability to
reproduce the claims in the report.
This is a good example of the wrong way to handle a security
vulnerability report. We didn't receive this report until mid-day
today, well after it had been published on BugTraq and we'd already
begun an investigation. There is simply no rationale for sending a
vulnerability report to the world first, and to the vendor -- the
only party that could build a patch -- last. =20
If this had been a bona fide vulnerability, the irresponsible way it
was reported would have put a weapon into malicious users' hands,
thereby putting users needlessly at risk. Even though the report
turned out to be false, there still was a cost to the user community.
Because the authors chose to create an emergency, Microsoft and
other organizations investigating the Nimda worm had to divert
resources into checking the new report. This cost all of us valuable
time, and hindered our efforts to help users defend their systems
against Nimda.
We established the Microsoft Security Response Center to make it easy
for people to report potential security vulnerabilities to us. We
monitor the secure@microsoft.com email address seven days a week, 365
days a year, and we investigate every report we receive. Sending a
report to the vendor first makes sense, both from the perspective of
protecting users and ensuring that the researcher's name is only
associated with valid, reproducible reports.
Regards,
Scott Culp
Microsoft Security Response Center
Microsoft Corporation
=20
- -----Original Message-----
From: ALife // BERG [mailto:buginfo@inbox.ru]=20
Sent: Wednesday, September 19, 2001 2:38 AM
To: Bugtraq@securityfocus.com
Subject: New vulnerability in IIS4.0/5.0
- -----[ Bright Eyes Research Group | Advisory # be00001e
]-----------------
Remote users can execute any command on several
IIS 4.0 and 5.0 systems by using UTF codes
- -------------------------------------[ security.instock.ru
]--------------
Topic: Remote users can execute any command on several
IIS 4.0 and 5.0 systems by using UTF codes
Announced: 2001-09-19
Credits: ALife=20
Affects: Microsoft IIS 4.0/5.0
- ----------------------------------------------------------------------
- ----
- ---[ Description
For example, target has a virtual executable directory (e.g.
"scripts") that is located on the same driver of Windows system.
Submit request like this:
http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:
\
Directory list of C:\ will be revealed.
Of course, same effect can be achieved by this kind of processing to
'/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
"..%u0025%u005c" ...
Note: Attacker can run commands of IUSR_machinename account privilege
only.
This is where things go wrong in IIS 4.0 and 5.0, IIS first
scans the given url for ../ and ..\ and for the normal unicode=20
of these strings, if those are found, the string is rejected,
if these are not found, the string will be decoded and interpreted.
Since the filter does NOT check for the huge amount of overlong
unicode representations of ../ and ..\ the filter is bypassed and the
directory traversalling routine is invoked.
- ---[ Workarounds
1. Delete the executable virtual directory like /scripts etc.
2. If executable virtual directory is needed, we suggest you
to
assign a separate local driver for it.
3. Move all command-line utilities to another directory that
could
be used by an attacker, and forbid GUEST group access
those
utilities.
- ---[ Vendor Status
2001.09.19 We informed Microsoft of this vulnerability.
- ---[ Additional Information
[1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
RFC 2152
[2] RFC 2044 UTF-8, a transformation format of Unicode and ISO
10646.
RFC 2279
[3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8
String
Representation of Distinguished Names.
- ---[ DISCLAIMS
THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP
(BERG) "AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL=20
WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF
MERCHANTABILITY. IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES=20
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF BERG HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR
REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT
MODIFIED IN ANY WAY.
- -------------------------------------[ security.instock.ru
]-------------- -----[ Bright Eyes Research Group | Advisory #
be00001e ]-----------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBO6lQf40ZSRQxA/UrAQHRawgAmBjseQTRxTQx0lW4T0kf5n3HPmwLb54A
EcJzMT3O/qEDakQKv9mE1yGrxWMUrhlGNXg1cT++Vi3d+E6FqIw5kMe7wtJslf+L
AojWIzSsve9epkanuSi1/JFAhoccAIOz2e6pj9JxmVIUdAWvHsoQ1mo6P8+mH3HX
69xczuemzrUfGEeV43Btul9NjQGa1hFsMhJR2LsOVoC6z8dPe2toiM4WcwE81hvS
mlx1imWFmYddxzdvav3ZjgkpdnKeIEo4s91okbmElq2qQgFGl1jKxCnzIerd8nNk
vn/X3JCHxko6EtJyW2dXPt1bnYxaWN0gxfUOiGwvGqTxQys9Rck0WA=3D=3D
=3DOvie
-----END PGP SIGNATURE-----
------_=_NextPart_001_01C14179.AB78B99D
Content-Type: application/octet-stream;
name="PGPexch.htm.asc"
Content-Transfer-Encoding: base64
Content-Description: PGPexch.htm.asc
Content-Disposition: attachment;
filename="PGPexch.htm.asc"
LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQpWZXJzaW9uOiBQR1AgNy4xDQoNCm93SE5XV3Rz
SEVjZGJ4VFJrcUtLVnBSSG9CVlRBM0ZDN3Zic2M1ekV6b1BlWTIwdnZZZDd0NDdyT2ltZDI1MjcN
Cm0zaHY5N283YThkQTFkS3FLaEd2RnZFQlVLV3FFa2hGTkJJZ3RTb0N4SWNLMGFvU24vaFFTaXNr
UUtCSXRJQlUNCnBLb0Z5bTltZDg5bng3RXR4Nm80SlhlM2N6UC8rVDkrLzZmUDcvcmc3dmZzT3Zh
RDZmdSt0dGU0Y1hqM3Z3N3UNCjJuVkdYUE5PN1JtM052TGdqVzhROFFGNjZwSEh4NzZTbXZ2M2Y1
Nll1UDdvTDMvNzhQMTEvMkQzcjJjZit2cXINCkR5Ni8rZlF0RDFmenQvZ3ZaeGUvL0twMzRiWFhQ
bm0vK1BQajkxMTQ4c1JOWjM5MTRlUGZ5anIxL04ydlBQVG8NCjBUODkrdE1ibnJ2dDlRODBxVE8v
OTdycmZ2aklOY1hsOXkrZjIvL3IvODd1ZWV5OWI1a3YvTE43L3FZM1h0cjkNCnM1Y2JuVytlRG83
OTVKVmRkMzcxNWc4L1dYMzF4MDgvZi9IMDJ4L1ovZFRGdjV6WmZlL3czcy95SDNuUHZtK28NCnRt
ZjYwKzdOWXM4dlRqL3lYR24wUXhmL2Z2YjdZNjgvWUQvN3ZUdWUrdHR2WHJ6cXJkOWQvOWpQLzlD
NDZ2bW4NCjc3NWgvdnpGSSsvcys4NHpNMWZ2dnZGai95aDl0Smo5MGhPMUY3OXc4WVhkTDUxLzgr
cnYzdlh0Yi96KzRkcmUNClBXY2ZEeDg0ODhLOTZidXVIZnpqQmZLMnVFcStqdDlTckJiTXVXbWRU
Sm5sRXBtZXlaZU1BaGxJWnpLekk0Vk0NCnBtZ1dveDlHdEd3bW8xY0dUbDUzN1hHNW9ENzFYRkYr
bG5VemgxM21kRnEvZmNZNGRXS2c0TG1DdVNKdExuZloNCkFDbFVLNlplTVU4TUNIWk9aTnFpNHh3
alZwdjZBUk1ud2lCTkE0dnpnUjZkU3E2c254aVlaQzd6cWZEOHZ1UGwNCk90SFA0YURiWXFUTy9F
WG1FL3dQdU9lU3c5cVFObnBrR0IrS2tHbVlKZjFrVFI4bkZiWkVGa05IRW10d2g0dGwNCndsMWlH
UFZEMmxCbVZCczZub20yNGt3bWtTWmZMYzdKejF2U2FRSkJjSVZnTm1uNlhvY29BYm9PQlkybTUz
ZW8NCklPazB0bUx6OU1uakUrQ1QxSTA3OVJQWmsxT2M1QnlIcEk5bjVLb2lQNzN1eGxrMnVNakEw
eUlMQkc5UmVaTm8NCjg0RDRyT3Y1SWtVYW9TQmNFTnJ0TWlpTUNJODBHS0VFS0F2dzZWQy9vKzF6
RzBIM0dKbGxwRTFCcThHWVMwS1gNCk5od210NE9RNzltaGhkM3VNdkdhSU0rSUJSRTZBZkdVS2do
MFFUeWZRQjFraVl1MjJ1R0FsVUFRSyt5RStNcEINCnQwdUYxWmFNT0J4TTdqOE9pOWYwaVJNRGJT
RzY0NW5NMHRLUzF1R1c3d1ZlVTJpVzE4a0laclZkSmpJQnMwSWYNCm1zODBRc2RoZ3J1WmNuMW9P
RDEwNkpCR2crN0F5U3NrY0R5VE8za2dKUVdBT0gyc041aWdQWHhBYmlucHFEYWMNCnFNdkVUcDhG
b1NPQ3lMWWV6dm9rdVF2MFd0VGxuNGZzbmhzUTZqTkZPNkFkQnBzVDEzTlpiQ09sMXdSY3F4VGUN
CnAya2VzUmFkMEdKVVhBNFRwZ1FBL2xIUzhqeWJzSE8wMDRVeFk5c3QrWjdiSWt0VVhRWm5zQjBK
aUI3ZnE4RWUNClg3Z0NFWnZiN3FEQXVzV2tVZnV3QnN3STdwQU90OU8ySW83M0ZGbGlnREZ0Q3Fn
R01HeFRPOEpYTjJ3NFBHZ0QNCkNGQnVQbXlaUHIwSGlyQ3hmOUFHTG4xRzdXVnNiWVV1bHZ2d0RX
MzJXUUJheGYwQmgzekwwQ254MVFZS2llQmUNCmtNbTFPV1NsNndvbHhWZjY4SHdIN3NuOUFPNGlX
WWpYRjNFYVJHQXMrZVM1dUtGTGZXbWpOdnpXOGtLY2FvUWMNCjd6VEdOclk2Tk9ocGF4TXJHYzFJ
ZXoyZFVOSUE3K0RFWnFzWlRpa091QSs0ZFFFbUxqMVQyZzhLWGFLSitxSEsNCkpjV1RjdUl1M0o1
Q21SUUhvRDJJMUtFT3Q3Z1hCaVFNQU9wQlpmcEFrZlpaWTFtZUVGSlo2bGZpTWdaY0JBR0UNCmhy
QStEeFlTcVhUb0JZZThzTlh1Z3lRUm9lOUthNFlpampFcXdzVGtDV3dIR0VobUtUUVg5SFF2TDhO
Q3B4TzYNCmtETzVJczhzaWwvVURocmlMakJrdGIxQXhTTUwwQkF5R0JIV1lYNkx1UmIwVTA3OFho
a3c4c1RWRHRpSElBZ3ANCktWZDR4NmJTK2gxbEFwQzJ1WXpWMHF1OTBMZFlFQ25PYWpOcklUbmtJ
aDJzOWdubGJFb21DaEhoWTlEd0luWEMNCktIN3lEb3RBMWVhdURVMUlEZm1FTlFGUG9hSnhtem5k
V09jMmF6SUp2emJqd081eUlCZ2NuN2FRTEVCY2NidVoNCjQ4TS9JU1JOWEVzeXZLS1pldUxodFFo
R2pCU1FZcUVvQlk0Rkp1SEVhTENzWEtmTHZHNHYva3Y3ZGoyWmtEbDENCjFvOFVuQ2xwd3FBdlZI
UThHQlcwVk55VGg5aXRxK0l6REVnUk1LaHRRK1B3WWlhUmhhQVJLT1N5aFJRWk9UeWENCkxDd2pm
YVhpQ05HZjdnaE8rVDJYWG1KSlpFcjRxUGRpd0dxdmo3MWJ1YjBTWHpMZ1NzUTJBSjg0VzJOZkY1
YnANCk1rdGxNQmdYb1ZuSXA1NmpTSTV3RGhwUkNJR3pSRTRSZ0Y4Z3h4K0VMOG1ZejRNb2hOQWc4
Q3l1OHJUS2xZQUsNCnQxTzlvSzk4TytJMDJNemFOZGFpUGx4NDB4cWhibmxDa0VMb2RIdGJaWmxT
VzcxcmM2UnM3WFRCODhHK2NyczENCm5NbER5ZnVsWEs2T211dWR1ZHpKdEh4VmZkN2lDUDJrRERE
UkZsT0xHM0U4QVJPUGsxeUpOeG5KWkVoZXIwMlMNCitWNVZJcUVwdlBGR0NLSk43MWJ1TnJ4em1o
OE9uTHpNRDdLS09FTTJ1ZzlJRk9Qd0M5dGxnVXFOZGRhRml6ZmcNCmdjTmpLWklkR2hvbTJmR1Jv
eVJYM29pTTZZM0xoQ21RTUc5TlhMSHBXZkE4dU5TRzk0ZU5zNER1RmtyYWRReHcNCkdhWFBrenpV
M2haRVg0WUQxV0xVazBuZkM3dmtpeVJuTC9MQWczdCtBaGxoQ0s5aFJzNmsxNzQyeFcrRWpDdC8N
CkI0TWR1Ry9zdVpaTUllZWdRUkdWdGpJTnFlemhxbERrVTJjamJlNFVUNnY0UzRwcHlZYXNwcE1r
Z1BRY0JqTEENCnpKZ1Q0Tk5td2FZNlMyL2xOZDhMNXBwTU1wNjFBQ1N2dGRDbVY1bGVsMXZqTzZ5
Sy8zTlR2WHVHekxtdUY3b1cNCnM3ZXBZUlZZMGtOajZlR3hqWlJVUUczQ1JiQURab3hENmo1SEhG
c2JKUGUxeExHTm1NZzFtNGhRTzhMRVNqNksNCmJiRk9hTnVtMTJ6cHRaV3I1a21SQlpiUHUrdmt5
cTFIUVRMaCtmRzN1Tk5EMVUxUkdjdDJTNVpPaTl3WElSSmoNCjVFR3FMclU1eWlRaEkvTitwclcw
RGIzbm50QVR4eUkyZytqaFFGVG9vS1J4UEV1Vk1uSG5yTHBiMjVkbHRDeVcNClpsSHpla3RCakg2
TklBTjF1S3l2N3dsbGcrM3doYWlCSE45VTlyWERna2krVE14VlJ0TStGUTROalZySjV4SjMNClhm
eXFyaDNKWnF5T3JVSDR6MlNzZ3hEOG9EVit1amMwdUZKQ011MXZ5bjJ4cDIwVTVrSnFwakIrR3VV
ZitvV0cNCnJQWVdHVHBXVzl1VVRyVXAyMDVmRnFsSzAweTVpNHFPY3FoanRUbEkyVExJcU1ZU1RR
c3MwNHl4Z2ZvU0xZMEsNClBzS0wxd1l6Zy9FM0JLcGtUUnZVTG9WVTdKSWtBa0Nrbm13emVrb2xx
MnFSWmRhc1JzdWpvOWI2NjVHaW96V2kNCmFac1Z2UlZrQlZSdFFsQnJRZmFPa04wUDNTUWpCR3BR
TTFPdmZhNGoxZUV5Vlh0VEMycHowY01BbWR4aExiYjkNCmJLR0tlRzM3dnBxTVpwWlVXd3d6dWEy
QXRMeDRLTVBkdFprakpSZmlzMUd2RWtEa1FIbGJpOHVHS2ZRZDFiRnANCld1WVNXMnJhNmI2blpz
K29xcE9WODBlSG9QR1dlU2lScnJteUk1QnR1MnhyZ2hUaGNsYUJCank1d1djOW1xRnINCnF5NC9Y
b2lPeEE4OGlMLzRUSmFlekk0cHNYNUs0RVQwMFlrcDlOekRacEkvV3ltRXl5Nms2ek5RUWpUaGJq
d2oNCmE2SWlCeFpzRHpWb3BXcEdIZnVLMEdwUE8yd0JDQjJGQTJERVE0aHlwTXBqK1ZVREJyWmNF
YzhMc0FjYVZiZEsNCkxmWmR3MlVhNzZLUGk1bGFrYjBYVlJNbCtsVE9ENm5qU0lGUUU2TnZWSjBn
K2xkdlljWGpOMHdSczU2L1FIMnANCm5tRDdzQnZXa0dvYzZLMlAyNzUwa0dRSXV5OVFJVFluWVpF
d1lXbmI4Um1TMVlqUjdMc3BYcjcwdmg1UzVPQkoNCjRnU2RmQkMyV3NnVDhRL0xYb2pBdFROMW51
ekNlY3RWWTg4dTllVVlRV1l5SjhsZEVqUmNiRS9rRVkyVWdTNDENCkRZcWpVdHFSZG9mMVZ3WWwx
STJHVkNzYVdKa3E3cENNRFZVOUo4NlBwRURkUlBvNGVxWldCNGNHdDhua2pGNDMNCjQ2V1c2dUlR
UE9WMFJybi9EbkhXMDRTMnRTcnBWRFNycWNNM3d5dHdBbGtJYTBOajJ2Qll2REFySjBueTd6RHcN
CjVKVjYwWXZuc3F0YTVDMXltck5SUktzSk5ESGM2Qzg4V3kvdDVvZlBrTnBFZ1F3ZlBwU1ZEVUw2
Q0VtVEhDbFQNCjdxVHJGQ1cxNlNQMDk2aktKQzMvZ2dSK1o2SWd0ajNBeWl1enc2UFp6US9QWnlN
R3MwT0hEaWtHandKQk1zcjENCmM5VmN5NVVLa2thOVNvYUhEaDg2ZkFVOFpvK01iWUhIa1pqSDdP
Z0lLY25aeEJKVEU0cVZJaXdYSVhyYTk5RHgNCmVnN1p2emh5WUR5U0J4aVR5ZWZkNnliUjUvYm5I
YW0ySW1wRThCQkdNOXdLQ3BpdCtrblJxQmRLT2FOYzM3eGwNCm45S0pVWm1vMXNvNTA2aFd5SFN0
ZXNvbzZrWFlpZFQwa3A2cjQzdCtqdVJyeHVTVVNmUTVYYTdYOVZ5dE1FVW0NCmE5V1phYkpmRHN3
T3hNVmNybzZUY1EwM2E1aFQxWmtraU16bWFyVmN4WnlMSDZzVEpGZVpJN2NabGFLbVJtN3gNCmVv
LzFYZzlaV2szQTBPc3Bvb08wWGlQNkhkTmdwazZxTldLVXAwdUdYc1JQZHhUMGFaTkFwS1RTZ29n
clorWEYNClpSM2M0ekdYTjBxR09ZZlVWRUc1UVBSVGVzV3NUK0hHYUFhWTEwbkp5T1ZMZXRKZTlV
aUM4NFRkWERrM3FTZk0NCnprN2x6SG9WZE1CUHBWQ2FLUnFWU1VoVTB3c202cmZLeXJjQ2RJejdT
eW41TittNmZ2c01uZ3o1V0tyV0ZZdjUNCm1icFJrYUxCSUJPR3FVU3NUK3NGYkVydVRDbUdpVEVS
Y1RzRjFlZDFMT1NLcHd4cE5WQ1JvaytEb2hFSktwZnENCk16QmNURUdUMmpaclJuNUcyajR4VEEw
R3hxMUZ0WmhRNmNlSVVWK0JpUW1KMVFaMWE3VTJKMytWcFZlNVdqUW0NCkRBbWtpakwwYkc1dUMx
WE9EazJxU0x4MTUyYVNQWjR6K1dweFRqblVsRmt1bmZ3Zg0KPWpMYTgNCi0tLS0tRU5EIFBHUCBN
RVNTQUdFLS0tLS0NCg==
------_=_NextPart_001_01C14179.AB78B99D--
