SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
SecurityTracker Alert ID:  1001530
SecurityTracker URL:  http://securitytracker.com/id/1001530
CVE Reference:   CVE-2001-0246   (Links to External Site)
Date:  May 15 2001
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): IIS 5.0, IIS 4.0 (except when on NT 4 with SP6/SP6a[without any new hotfix])
Description:   NSFOCUS announced discovery of a vulnerability in Microsoft Internet Information Server that allows remote users to execute commands on the server.

NSFOCUS reports that when loading an executable CGI program, the IIS web server will perform two successive decode operations. The first is to decode the CGI filename and determine if it is an executable file. The second is to determine CGI parameters. However, the web server will (improperly) decode the file name on the second pass. As a result, a remote user can create a malformed CGI filename to circumvent normal IIS filename security filtering (such as ".." filtering) and traverse directories.

For example, NSFOCUS reports that the following URL, if the target host has a virtual executable directory called scripts, will provide a directory listing of the C:\ directory:

http://[targethost]/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

Malformed URLs can be used to run commands with the privileges of the IUSER_machinename account.

Impact:   A remote user can execute commands on and retrieve files from the server.
Solution:   Microsoft has prepared a fix (which will be posted shortly).
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-026.asp (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Issues Fix) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
Microsoft has released a patch.
(CERT Issues Advisory) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
CERT issued Advisory CA-2001-12.
(Exploit Code) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
This contains demonstration exploit code.
(MS Personal Web Server Also Vulnerable) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
Microsoft Personal Web Server is also vulnerable.
(Additional Information) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
Some additional information as to why exploitation of this vulnerability fails in some cases is provided.
(CIAC Issues Bulletin) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
CIAC has issued a security bulletin (Number L-083).



 Source Message Contents

Subject:  ___Vulnerability___


NSFOCUS Security Advisory(SA2001-02)

Topic: Microsoft IIS CGI Filename Decode Error Vulnerability

Release Date: May 15, 2001

CVE Candidate Numbers: CAN-2001-0246

Affected system:
============

Microsoft IIS 4.0
Microsoft IIS 5.0 

Non-affected system: 
================

Microsoft IIS 4.0 
    + Microsoft Windows NT 4 + SP6/SP6a(without any new hotfix)

Impact: 
=====

NSFOCUS Security Team has found a vulnerability in filename processing
of CGI program in MS IIS4.0/5.0. CGI filename is decoded twice by error.

Exploitation of this vulnerability, intruder may run arbitrary system 
command.

Description: 
========

When loading executable CGI program, IIS will decode twice. First, CGI 
filename will be decoded to check if it is an executable file (for 
example, '.exe' or '.com' suffix check-up). Successfully passing the 
filename check-up, IIS will run another decode process. 
Normally, only CGI parameters should be decoded in this process. But 
this time IIS mistakenly decodes both CGI parameters and the decoded 
CGI filename. In this way, CGI filename is decoded twice by error.

With a malformed CGI filename, attacker can get round IIS filename 
security check-ups like '../' or './' check-up. In some cases, attacker
can run arbitrary system command.

For example, a character '\' will be encoded to "%5c". And the
corresponding 
code of these 3 characters is:
'%' = %25
'5' = %35
'c' = %63

encode this 3 characters for another time, we can get many results such
as:
%255c
%%35c
%%35%63 
%25%35%63
....

Thereby, '..\' can be represented by '..%255c' and '..%%35c', etc.
After first decoding, '..%255c' is turned into '..%5c'. IIS will take it
as a 
legal character string that can pass security check-up. But after a
second
decode process, it will be reverted to '..\'. Hence, attacker can use
'..\'
to carry out directory traversal and run arbitrary program outside of
Web 
directory.


Exploit:
=====

For example, TARGET has a virtual executable directory (e.g. "scripts") 
that is located on the same driver of Windows system. Submit request
like
this:

http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

Directory list of C:\ will be revealed.

Of course, same effect can be achieved by this kind of processing to '/' 
and '.'.
For example: "..%252f", ".%252e/"...

Note: Attacker can run commands of IUSER_machinename account
privilege only.


Workaround:
=========

  1. If executable CGI is not integrant, delete the executable virtual 
     directory like /scripts etc.
  2. If executable virtual directory is needed, we suggest you to assign
a

     separate local driver for it.
  3. Move all command-line utilities to another directory that could be
used 
     by an attacker, and forbid GUEST group access those utilities. 

Vendor Status:
===========

2001.3.27  We informed Microsoft of this vulnerability.
2001.4.01  Microsoft replied that the bug has been reproduced.
2001.4.16  Microsoft supplied private patches for testing and the 
                  problem had been solved. 
2001.4.23  For further testing, Microsoft requested us to hold off the 
                  release of the advisory for 2 weeks.
2001.4.30  Microsoft informed us that we should put off the release 
                  for another week.
2001.5.14  Microsoft has released one security bulletin(MS01-026) 
                  concerning this flaw.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

Patches are available at:

. Internet Information Server 4.0:

http://www.microsoft.com/ntserver/nts/downloads/critical/q277873 

. Internet Information Services 5.0:

http://www.microsoft.com/Windows2000/downloads/critical/q277873 

Additional Information:
=================

The Common Vulnerabilities and Exposures (CVE) project has 
assigned the name CAN-2001-0007 to this issue. This is a 
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates 
may change significantly before they become official CVE entries.

DISCLAIMS:
=========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS"
WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED,  EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO
EVENTSHALL NSFOCUS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, 
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

(C)Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC