New vulnerability in IIS4.0/5.0

["ALife // BERG" <buginfo () inbox ru>]

-----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------

             Remote users can execute any command on several
               IIS 4.0 and 5.0 systems by using UTF codes

-------------------------------------[ security.instock.ru ]--------------

Topic:              Remote users can execute any command on several
                    IIS 4.0 and 5.0 systems by using UTF codes

Announced:          2001-09-19
Credits:            ALife <buginfo () inbox ru>
Affects:            Microsoft IIS 4.0/5.0

--------------------------------------------------------------------------

---[ Description

     For  example, target has a virtual executable directory (e.g.
"scripts") that is located on the same driver of Windows system.
Submit request like this:

http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\

Directory list of C:\ will be revealed.

Of course, same effect can be achieved by this kind of  processing
to  '/'  and  '.'. For  example:  "..%u002f", ".%u002e/", "..%u00255c",
"..%u0025%u005c" ...

Note: Attacker can run commands of IUSR_machinename account privilege
      only.

     This is where things go wrong in IIS 4.0 and 5.0, IIS  first scans
the given url for ../  and  ..\ and  for  the normal unicode  of  these
strings, if those  are  found, the  string  is  rejected, if these  are
not found, the string will be decoded and interpreted. Since the filter
does NOT check  for the huge amount of overlong unicode representations
of ../ and ..\ the filter is bypassed and the  directory  traversalling
routine is invoked.

---[ Workarounds

     1. Delete the  executable virtual directory like /scripts etc.
     2. If executable  virtual directory is  needed, we suggest  you to
        assign a separate local driver for it.
     3. Move all command-line utilities to another directory that could
        be used  by an  attacker, and  forbid GUEST  group access those
        utilities.

---[ Vendor Status

     2001.09.19  We informed Microsoft of this vulnerability.

---[ Additional Information

 [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
     RFC 2152
 [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646.
     RFC 2279
 [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
              Representation of Distinguished Names.

---[ DISCLAIMS

THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG)
"AS IS" WITHOUT  WARRANTY  OF ANY KIND. BERG  DISCLAIMS  ALL  WARRANTIES,
EITHER EXPRESS OR IMPLIED, EXCEPT FOR  THE WARRANTIES OF MERCHANTABILITY.
IN NO EVENTSHALL BERG BE LIABLE  FOR  ANY  DAMAGES  WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. DISTRIBUTION  OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT
THE ADVISORY IS NOT MODIFIED IN ANY WAY.

-------------------------------------[ security.instock.ru ]--------------
-----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------

Attachment: be00001e.txt
Description: