Microsoft Site Server 2.0 with IIS 4.0 Malicious File Upload Vulnerability
BID:1811
Info
Microsoft Site Server 2.0 with IIS 4.0 Malicious File Upload Vulnerability
| Bugtraq ID: | 1811 |
| Class: | Design Error |
| CVE: |
CVE-1999-0360 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jan 30 1999 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | Discovered and posted to Bugtraq by mnemonix <[email protected]> on Jan 30, 1999. |
| Vulnerable: |
Microsoft Site Server Commerce Edition 2.0 |
| Not Vulnerable: | |
Discussion
Microsoft Site Server 2.0 with IIS 4.0 Malicious File Upload Vulnerability
Microsoft Site Server is an intranet server designed for an NT Server with IIS. Site Server enables users to locate and view information stored in various locations through personalized web pages and emails.
The 'Users' directory, if not already created, is automatically generated once the first successful upload has been completed. By default the 'Everyone' group is given NTFS Change privileges in the 'Users' directory. As well, Scripting and Write permissions are assigned by IIS. Due to all of these factors, it is possible for a user to create and upload various content including ASP pages to the web server through the Anonymous Internet Account (IUSR_machinename).
If one does not have knowledge of a password to access the services in Site Server, a user could telnet to port 80 on the web server and perform a specially crafted PUT request. Once the file is created performing a specially formed GET request will execute the file.
Successful exploitation of this vulnerability will allow a remote user to possibly upload malicious content to the web site.
Microsoft Site Server is an intranet server designed for an NT Server with IIS. Site Server enables users to locate and view information stored in various locations through personalized web pages and emails.
The 'Users' directory, if not already created, is automatically generated once the first successful upload has been completed. By default the 'Everyone' group is given NTFS Change privileges in the 'Users' directory. As well, Scripting and Write permissions are assigned by IIS. Due to all of these factors, it is possible for a user to create and upload various content including ASP pages to the web server through the Anonymous Internet Account (IUSR_machinename).
If one does not have knowledge of a password to access the services in Site Server, a user could telnet to port 80 on the web server and perform a specially crafted PUT request. Once the file is created performing a specially formed GET request will execute the file.
Successful exploitation of this vulnerability will allow a remote user to possibly upload malicious content to the web site.
Exploit / POC
Microsoft Site Server 2.0 with IIS 4.0 Malicious File Upload Vulnerability
mnemonix <[email protected]> has provided the following exploit for the telnet PUT request:
PUT /users/non-aggressive-script.asp HTTP/1.0
Content-length: 120
Entity-body:
<HTML>
<BODY>
Request method is <% Response.Write
Request.ServerVariables("REQUEST_METHOD")%>.<BR>
</BODY>
</HTML>
\n
\n
\n
mnemonix <[email protected]> has provided the following exploit for the telnet PUT request:
PUT /users/non-aggressive-script.asp HTTP/1.0
Content-length: 120
Entity-body:
<HTML>
<BODY>
Request method is <% Response.Write
Request.ServerVariables("REQUEST_METHOD")%>.<BR>
</BODY>
</HTML>
\n
\n
\n
Solution / Fix
Microsoft Site Server 2.0 with IIS 4.0 Malicious File Upload Vulnerability
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Microsoft Site Server 2.0 with IIS 4.0 Malicious File Upload Vulnerability
References:
References:
- Site Server Product Homepage (Microsoft)