Advisories : Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability

main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
discussions
- read forum
- new topic
- search
meetings
- meetings list
- recent additions
- add your info
top 100 sites
- visit top sites
- sign up now
- members
webmasters
- add your url
- add domain
- search box
- link to us
projects
- our projects
- free email
m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability
Title:	Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability
Released by:	Nsfocus
Date:	23rd November 2000
Printable version:	Click here
NSFOCUS Security Advisory(SA2000-07)



Topic: Microsoft IIS 4.0/5.0  CGI File Name Inspection Vulnerability



Release Date£º Nov 7th, 2000

Update  Date£º Nov 23rd, 2000



CVE Candidate Numbers: CAN-2000-0886

BUGTRAQ ID : 1912



Affected system:

================



 - Microsoft IIS 4.0

 - Microsoft IIS 5.0



Impact:

=========



NSFOCUS security team has found a security flaw in Microsoft IIS 4.0/

5.0 when handling a CGI file name. Exploitation of it, attacker can

read system file and run arbitrary system command.



Description£º

============



In CGI application (.exe, .pl, .php etc.) handling, Microsoft IIS 4.0/

5.0 do not present an integrated security inspection of CGI file name,

which may cause IIS to mistakenly open or run a file if a special

character is contained in the file name.



1. Providing a malformed HTTP request that calls IIS to run a ".exe"

or ".com" program under executable directory, IIS will try to load

the program and check file existence and file type first. Attacker can

trap the loading program to check a non-requested file by inserting

a special character in the file name.



If fulfilling these terms:



 (1) Target file exists

 (2) Target file is a batch file or ".cmd" file

 (3) Target file is a plain text file longer than zero byte



IIS will automatically call "cmd.exe" to interpret it. Other part of

file name requested is pass to "cmd.exe" as parameters of the batch

file. Thus, an attacker can run arbitrary command by inserting some

characters like "&".



2. If some script interpreter(php.exe, perl.exe etc.) and relevant

mapping are installed, IIS will call them to interpret the file name

submitted by user to run the corresponding CGI script. Inserting some

special characters, attacker can trap the interpreter to open some

file outside of WEB directory. Depending on the execution method of

the interpreter, attacker may read part or even the full file content.





Exploit:

==========



1. Run arbitrary command



   Create a batch file "test.bat" with arbitrary content like "abc"

   under an executable directory(e.g. /scripts ). Submit the following

   URL:



   http://site/scripts/test.bat"+&+dir+c:/+.exe (for IIS 5.0)

   or

   http://site/scripts/test.bat"+&+dir+c:/+.com



   You get file list under C:\



   Double quotation marks will be attached on the executable file

   name by IIS. That's why the of request is turned into the following

   format when it is passed to "CMD.exe".



   CMD.exe "D:\interpub\scripts\test.bat" & dir C:/ .exe"



   So, an attacker can run arbitrary command with IUSER_machinename

   privilege, while the executable virtual directory is unnecessary

   to be on the same driver of "WINNT\system32\CMD.exe".



   For IIS 4.0 http://site/scripts/test.bat"+"&+dir+c:/+.exe



   For IIS 4.0 + SP6/SP6a, we have to combine with "%c1%1c" vulnerability:



   http://site/scripts/test.bat"+"+&+dir+c:/+/..%c1%9c..%c1%9c

   ..%c1%9c..%c1%9cwinnt/system32/route.exe

   ("winnt/system32/route.exe" can be replaced with any existing

   executable program with a ".com" or ".exe" suffix.)



Note: Commands can be inserted in the URL parameter , for example:

      http://site/scripts/a.bat"+".exe?+&+dir

      An old patch for IIS 5.0 previously provided by Microsoft did

      not take it into consideration. We suggest you to apply the new

      patch as soon as possible.



   Whereas IIS executable directory do not have any batch file under

   default installation, attacker can make use of this flaw:



   (1) On occasion that system administrator install some CGI program

       which allow users to create files under executable directory.

       For example, some counter programs allow  user to create and

       name a data file though he can't control the file content.

       Attacker may take the chance and run any command.



   (2) MSSQL and Perl packages have their own batch files. On occasion

       that system administrator install MSSQL or Perl, and happened to

       be in the same driver of some IIS executable virtual directory,

       intruder may carry out the attack with this combining with

       "%c1%1c" vulnerability .

       (read NSFOCUS Security Advisory SA2000-06:

        http://www.nsfocus.com/english/homepage/sa_06.htm )



       For instance, NSSQL7 has 2 batch files under "\install" under

       default installation:

       D:\mssql7\install\pubimage.bat

       D:\mssql7\install\pubtext.bat

       (MSSQL7 is supposed to be installed in D:\)



       We can run arbitrary command by submitting the following URL

       if "\scripts" directory of IIS has been mapped to

       "D:\interpub\scripts":



       http://site/scripts/..%c1%1c../..%c1%1c../mssql7/install/

       pubtext.bat"+&+dir+c:\+.exe



       In addition, websites allow users to upload ".bat" or ".cmd" file

       may also suffer from this kind of attack.



2.  expose file content



    For system installed php.exe(PHP3), attacker may read some files

    outside of WEB directory:

    http://target/."./."./winnt/win.ini%20.php3





Workaround:

===================



1.  Always remove unnecessary batch and ".cmd" files, and keep

    necessary batch or ".cmd" files in a different driver of any

    executable virtual directory.

2. Deny the access privilege of "guests" group to "CMD.exe".



Vendor Status:

==============



Microsoft has been informed on Oct 20th, 2000.

Microsoft has released one security bulletin concerning this flaw on

Nov 6th, 2000.



Microsoft has updated MS00-086 and released some new patches in

November 21, 2000.



The bulletin is live at :



http://www.microsoft.com/technet/security/bulletin/MS00-086.asp



Patches are available at:



. Internet Information Server 4.0:



http://www.microsoft.com/ntserver/nts/downloads/critical/q277873



. Internet Information Services 5.0:



http://www.microsoft.com/Windows2000/downloads/critical/q277873





Additional Information:

========================



The Common Vulnerabilities and Exposures (CVE) project has

assigned the name CAN-2000-0886 to this issue. This is a

candidate for inclusion in the CVE list (http://cve.mitre.org),

which standardizes names for security problems.  Candidates

may change significantly before they become official CVE entries.



DISCLAIMS:

==========

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY

KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR

THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY

DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF

BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS

PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.



Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.





NSFOCUS Security Team 

NSFOCUS INFORMATION TECHNOLOGY CO.,LTD

(http://www.nsfocus.com)