(Additional Information) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
SecurityTracker Alert ID: 1001566|
SecurityTracker URL: http://securitytracker.com/id/1001566
(Links to External Site)
Date: May 17 2001
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): IIS 5.0, IIS 4.0 (except when on NT 4 with SP6/SP6a[without any new hotfix])|
NSFOCUS announced discovery of a vulnerability in Microsoft Internet Information Server that allows remote users to execute commands on the server.|
NSFOCUS provided additional information as to why exploitation of this vulnerability fails in some cases. See the Source Message for a detail explanation.
A remote user can execute commands on and retrieve files from the server.|
The vendor has released a patch. See the Vendor URL for the fix.|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS01-026.asp (Links to External Site)
|Underlying OS: Windows (NT), Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Re: NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability|
Here we want to explain why exploitation of this vulnerability fails in
The vulnerability exists in both IIS 4.0 and IIS 5.0, but exploitation
of it would fail for some factors.
1. Why NT 4 SP6(SP6a) is not affected?
That's because SP6(a) will perform a check for the existence of
requested file after the first decoding. Attack will fail for files
don not actually exist.
But this check of SP6 seems to be just a temporary fix to address
some certain vulnerability. And it was removed in some following
Thus, if you have only applied SP6(a) for your NT 4, you would not be
affected by this vulnerability.
2. Will systems with patch provided by MS00-078(MS00-057) be affected?
MS00-078 and MS00-057 provide the same patch, which will perform a
check of filename for ".\" and "./" after the first decoding. In case
that such characters exist, request would be denied. Thus, it only
casually addresses UNICODE vulnerability. By covering "./" or ".\" after
the first decoding, an attacker can still successfully make use of
"Decoding error" vulnerability.
will be converted into
after the first decoding. Thus the request can bypass the security
will be converted into
after the first decoding. Thus the attack fails since the decoded
name contains './'.
3. Will systems with patch provided by MS00-086 be affected?
The patch provided by MS00-086 successfully addressed the UNICODE
But Microsoft has updated the patches for some times. First versions
will provide filename check for some dangerous characters like '%'
or '"' after the first decoding. Thus, you will not be affected
by "Decoding error" vulnerability if you apply these versions.
But Microsoft remove the check again in the final version of the
patch, apply which will make your system affected.
Nsfocus Security Team <email@example.com>