SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(Additional Information) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
SecurityTracker Alert ID:  1001566
SecurityTracker URL:  http://securitytracker.com/id/1001566
CVE Reference:   CVE-2001-0246   (Links to External Site)
Date:  May 17 2001
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): IIS 5.0, IIS 4.0 (except when on NT 4 with SP6/SP6a[without any new hotfix])
Description:   NSFOCUS announced discovery of a vulnerability in Microsoft Internet Information Server that allows remote users to execute commands on the server.

NSFOCUS provided additional information as to why exploitation of this vulnerability fails in some cases. See the Source Message for a detail explanation.

Impact:   A remote user can execute commands on and retrieve files from the server.
Solution:   The vendor has released a patch. See the Vendor URL for the fix.
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-026.asp (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 15 2001 Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error



 Source Message Contents

Subject:  Re: NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability


Hi -

Here we want to explain why exploitation of this vulnerability fails in 
some cases.

The vulnerability exists in both IIS 4.0 and IIS 5.0, but exploitation
of it would fail for some factors.

1. Why NT 4 SP6(SP6a) is not affected?

   That's because SP6(a) will perform a check for the existence of 
   requested file after the first decoding. Attack will fail for files
   like 
   C:\interpub\scripts\..%5c..%5c..%5cwinnt\system\cmd.exe
   don not actually exist.
   
   But this check of SP6 seems to be just a temporary fix to address
   some certain vulnerability. And it was removed in some following 
   hotfixes.
   Thus, if you have only applied SP6(a) for your NT 4, you would not be
   affected by this vulnerability.

2. Will systems with patch provided by MS00-078(MS00-057) be affected?

   MS00-078 and MS00-057 provide the same patch, which will perform a
   check of filename for ".\" and "./" after the first decoding. In case
   that such characters exist, request would be denied. Thus, it only 
   casually addresses UNICODE vulnerability. By covering "./" or ".\" after 
   the first decoding, an attacker can still successfully make use of 
   "Decoding error" vulnerability.
   
   For example:

   "..%255c..%255cwinnt/system32/cmd.exe"
   will be converted into 
   "..%5c..%5cwinnt/system32/cmd.exe"
   after the first decoding. Thus the request can bypass the security 
   check.

   But
   "..%255c../winnt/system32/cmd.exe"
   will be converted into 
   "..%5c../winnt/system32/cmd.exe"
   after the first decoding. Thus the attack fails since the decoded 
   name contains  './'.

3. Will systems with patch provided by MS00-086 be affected?

   The patch provided by MS00-086 successfully addressed the UNICODE
   vulnerability.
   
   But Microsoft has updated the patches for some times. First versions
   will provide filename check for some dangerous characters like '%'
   or '"' after the first decoding. Thus, you will not be affected 
   by "Decoding error" vulnerability if you apply these versions.
   But Microsoft remove the check again in the final version of the 
   patch, apply which will make your system affected.



Regards,
Nsfocus Security Team <security@nsfocus.com>
http://www.nsfocus.com




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC