(CIAC Issues Bulletin) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
SecurityTracker Alert ID: 1001581|
SecurityTracker URL: http://securitytracker.com/id/1001581
(Links to External Site)
Date: May 19 2001
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): IIS 5.0, IIS 4.0 (except when on NT 4 with SP6/SP6a[without any new hotfix])|
NSFOCUS announced discovery of a vulnerability in Microsoft Internet Information Server that allows remote users to execute commands on the server.|
NSFOCUS reports that when loading an executable CGI program, the IIS web server will perform two successive decode operations. The first is to decode the CGI filename and determine if it is an executable file. The second is to determine CGI parameters. However, the web server will (improperly) decode the file name on the second pass. As a result, a remote user can create a malformed CGI filename to circumvent normal IIS filename security filtering (such as ".." filtering) and traverse directories.
For example, NSFOCUS reports that the following URL, if the target host has a virtual executable directory called scripts, will provide a directory listing of the C:\ directory:
Malformed URLs can be used to run commands with the privileges of the IUSER_machinename account.
A remote user can execute commands on and retrieve files from the server.|
CIAC has issued a security bulletin (Number L-083). See the Source Message for the CIAC bulletin. The vendor has released a fix. See the Vendor URL for directions on how to apply the fix.|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS01-026.asp (Links to External Site)
|Underlying OS: Windows (NT), Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: CIAC Bulletin L-083: Microsoft CGI Filename Decode Error Vulnerability in IIS|
[For Public Release]
-----BEGIN PGP SIGNED MESSAGE-----
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
Microsoft CGI Filename Decode Error Vulnerability in IIS
[Microsoft Security Advisory MS01-026]
May 16, 2001 16:00 GMT Number L-083
PROBLEM: The IIS CGI filename decoder will decode the filename twice
in error. This presents a vulnerability that could allow an
intruder several means of attack.
PLATFORM: Microsoft IIS 4.0 Microsoft IIS 5.0
DAMAGE: An intruder could get around security checks or be able to run
arbitrary system commands. This could result in code execution
or unauthorized file disclosure.
SOLUTION: Apply the patch described below.
VULNERABILITY The risk is MEDIUM to HIGH; attacker would gain access at IUSR
ASSESSMENT: privilege level and be able to execute programs. IIS is
currently one of the most targeted applications for hackers.
[****** Start Microsoft Advisory ******]
[****** End Microsoft Advisory ******]
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
-----END PGP SIGNATURE-----
This message was posted through the FIRST mailing list server. If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG