发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-10 15:06:04

[原文]IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability.


        IIS 5.0版本存在漏洞。远程攻击者借助到名字附加有操作系统命令可执行文件的畸形请求执行任意命令,也称为“Web服务器文件请求解析”漏洞。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:191IIS Web Server File Request Parsing

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20001107 NSFOCUS SA2000-07 : Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability
(UNKNOWN)  XF  iis-invalid-filename-passing(5470)
(UNKNOWN)  BID  1912

- 漏洞信息

高危 输入验证
2000-12-19 00:00:00 2005-10-12 00:00:00
        IIS 5.0版本存在漏洞。远程攻击者借助到名字附加有操作系统命令可执行文件的畸形请求执行任意命令,也称为“Web服务器文件请求解析”漏洞。

- 公告与补丁

        Microsoft has released patches which eliminate the vulnerability (they also rectify the vulnerability described in MS00-086, This patch does not address the new variants discovered by Georgi Guninski on November 27, 2000.
        Those who applied the IIS 5.0 released before November 30, 2000 are recommended to install the patch below. It rectifies regression errors that existed in prior versions of the patch.
        Microsoft IIS 4.0
        Microsoft IIS 5.0

- 漏洞信息 (20384)

Microsoft IIS 4.0/5.0 Executable File Parsing Vulnerability (EDBID:20384)
windows remote
2000-11-06 Verified
0 Nsfocus
N/A [点击下载]

When Microsoft IIS receives a valid request for an executable file, the filename is then passed onto the underlying operating system which executes the file. In the event that IIS receives a specially formed request for an executable file followed by operating system commands, IIS will proceed to process the entire string rather than rejecting it. Thus, a malicious user may perform system commands through cmd.exe under the context of the IUSR_machinename account which could possibly lead to privilege escalation, deletion, addition, and modification of files, or full compromise of the server.

In order to establish successful exploitation, the file requested must be an existing .bat or .cmd file residing in a folder that the user possesses executable permissions to.

Update (November 27, 2000): Georgi Guninski has discovered new variants of this vulnerability that have appeared after applying the patch (Q277873) supplied by Microsoft. Please see 'Exploit' for further details.

Update (December 7, 2000): Billy Nothern has discovered that the commands can also be parsed through ActiveState Perl. Please see his Bugtraq posted located under 'Credit' for further information.

**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

The following HTTP requests will display a directory listing for C:\.

http://target/scripts/file.bat"+&+dir+c:/+.exe (IIS 5.0)

http://target/scripts/file.bat"+"&+dir+c:/+.exe (IIS 4.0)



The following URLs apply to IIS 5.0 after the patch (Q277873) provided by Microsoft is installed:


- 漏洞信息

Microsoft IIS Webserver Invalid Filename Request Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2000-11-07 Unknow
2000-11-07 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete