| VID |
22184 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The IIS web server discloses ASP/HTR source codes due to Virtualized UNC Share vulnerability.
In the network, UNC(Universal Naming Convention) is a way to identify a shred file in a computer without having to specify(of know) the storage device it is on. In Windows OS, the UNC name format is "\\servername\sharename\path\filename" and is supported by all Microsoft networking products. When the IIS server is received the request of the advanced file types(ASP), the server determines what scripting engine to invoke by checking the file extension. However, if a virtual directory on an IIS server is mapped to a UNC share, and a remote attacker requests the file that resides on a UNC share appending a special characters to the end of the request, IIS web server will locate the correct file but not recognize it as a file that needs to be processed by a scripting engine. Instead, it will simply send the file to the browser. For example, this vulnerability arises when a remote attacker appends a backslash character('\') to the end of the "index.asp" file that is accessed via a UNC share, and then send the requests to the server as the following:
GET /index.asp%5C(or /index.asp\) HTTP/1.0
Generally, .ASP and other advanced file types never leave the server and only the output of the file should be sent to the client browser. However, this vulnerability will allow the server to send source code of file to the client browser and a remote attacker to gain the sensitive information such as password from the source code of the file.
* Note : To exploit this vulnerability may be difficult due to the following significant restrictions:
1. Because virtual directories hid the actual location of files by design. Under most circumstances, there would be no way for an attacker to determine which files on the server actually reside on a UNC share.
2. Most browsers will "correct" request that contain the trailing characters at issue here, by either removing the characters or changing them.
3. If recommended security practices are followed, .ASP and other files that require server-site processing will not contain any sensitive information to compromise.
* References:
http://www.microsoft.com/technet/security/bulletin/ms00-019.asp
http://www.securityfocus.com/archive/1/54240
* Platforms Affected:
Microsoft Commercial Internet System 2.0
Microsoft Commercial Internet System 2.5
Microsoft Proxy Server 2.0
Microsoft Site Server 3.0
Microsoft IIS 4.0
Microsoft IIS 5.0 |
| Recommendation |
Upgrade to IIS of at least 6.0 |
| Related URL |
CVE-2000-0246 (CVE) |
| Related URL |
1081 (SecurityFocus) |
| Related URL |
4204 (ISS) |
|
