New vulnerability in IIS4.0/5.0

From: ALife // BERG (buginfo@inbox.ru)
Date: 09/19/01 

From: "ALife // BERG" <buginfo@inbox.ru>
To: Bugtraq@securityfocus.com
Subject: New vulnerability in IIS4.0/5.0
Date: Wed, 19 Sep 2001 09:38:16 +0000 (GMT)
Message-Id: <E15jdo8-000NZy-00@f12.port.ru>

-----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------

             Remote users can execute any command on several
               IIS 4.0 and 5.0 systems by using UTF codes

-------------------------------------[ security.instock.ru ]--------------

Topic: Remote users can execute any command on several
                    IIS 4.0 and 5.0 systems by using UTF codes

Announced: 2001-09-19
Credits: ALife <buginfo@inbox.ru>
Affects: Microsoft IIS 4.0/5.0

--------------------------------------------------------------------------

---[ Description

     For example, target has a virtual executable directory (e.g.
"scripts") that is located on the same driver of Windows system.
Submit request like this:

http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\

Directory list of C:\ will be revealed.

Of course, same effect can be achieved by this kind of processing
to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
"..%u0025%u005c" ...

Note: Attacker can run commands of IUSR_machinename account privilege
      only.

     This is where things go wrong in IIS 4.0 and 5.0, IIS first scans
the given url for ../ and ..\ and for the normal unicode of these
strings, if those are found, the string is rejected, if these are
not found, the string will be decoded and interpreted. Since the filter
does NOT check for the huge amount of overlong unicode representations
of ../ and ..\ the filter is bypassed and the directory traversalling
routine is invoked.

---[ Workarounds

     1. Delete the executable virtual directory like /scripts etc.
     2. If executable virtual directory is needed, we suggest you to
        assign a separate local driver for it.
     3. Move all command-line utilities to another directory that could
        be used by an attacker, and forbid GUEST group access those
        utilities.

---[ Vendor Status

     2001.09.19 We informed Microsoft of this vulnerability.

---[ Additional Information

 [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
     RFC 2152
 [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646.
     RFC 2279
 [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
              Representation of Distinguished Names.

---[ DISCLAIMS

THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG)
"AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY.
IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT
THE ADVISORY IS NOT MODIFIED IN ANY WAY.

-------------------------------------[ security.instock.ru ]--------------
-----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------