Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft IIS CGI Filename Decode Error Vulnerability

Microsoft IIS CGI Filename Decode Error Vulnerability

by phiber on May 15th, 2001 NSFOCUS Security Team has found a vulnerability in filename processing of CGI program in MS IIS4.0/5.0. CGI filename is decoded twice by error. Exploitation of this vulnerability, intruder may run arbitrary system command.




When loading executable CGI program, IIS will decode twice. First, CGI filename will be decoded to check if it is an executable file (for
example, '.exe' or '.com' suffix check-up). Successfully passing the
filename check-up, IIS will run another decode process.
Normally, only CGI parameters should be decoded in this process. But
this time IIS mistakenly decodes both CGI parameters and the decoded
CGI filename. In this way, CGI filename is decoded twice by error.



With a malformed CGI filename, attacker can get round IIS filename
security check-ups like '../' or './' check-up. In some cases, attacker
can run arbitrary system command.



For example, a character '' will be encoded to "%5c". And the corresponding code of these 3 characters is:

'%' = %25

'5' = %35

'c' = %63



encode this 3 characters for another time, we can get many results such as:

%255c

%%35c

%%35%63

%25%35%63

...



Thereby, '..' can be represented by '..%255c' and '..%%35c', etc.
After first decoding, '..%255c' is turned into '..%5c'. IIS will take it as a
legal character string that can pass security check-up. But after a second decode process, it will be reverted to '..'. Hence, attacker can use '..' to carry out directory traversal and run arbitrary program outside of Web directory.




Exploit:



For example, TARGET has a virtual executable directory (e.g. "scripts")
that is located on the same driver of Windows system. Submit request like this:


http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:



Directory list of C: will be revealed.



Of course, same effect can be achieved by this kind of processing to '/'
and '.'.

For example: "..%252f", ".%252e/"...



Note: Attacker can run commands of IUSER_machinename account privilege only.





Workaround:



1. If executable CGI is not integrant, delete the executable virtual directory like /scripts etc.

2. If executable virtual directory is needed, we suggest you to assign a
separate local driver for it.

3. Move all command-line utilities to another directory that could be used by an attacker, and forbid GUEST group access those utilities.



- Vendor (Microsoft) has been notified and patches are ready for download.


Patches are available at:


Microsoft IIS 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787



Microsoft IIS 5.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764




This vulnerability has been posted on a bt mailing list by Nsfocus Security Team.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »