Bugtraq mailing list archives
NSFOCUS SA2000-07 : Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability
From: Nsfocus Security Team <security () NSFOCUS COM>
Date: Tue, 7 Nov 2000 18:13:56 +0800
NSFOCUS Security Advisory(SA2000-07) Topic: Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability Release Date£º Nov 7th, 2000 CVE Candidate Numbers: CAN-2000-0886 BUGTRAQ ID : 1912 Affected system: ================ - Microsoft IIS 4.0 (<SP6) - Microsoft IIS 5.0 Not affected system: ==================== - Microsoft IIS 4.0 ( SP6/SP6a ) Impact: ========= NSFOCUS security team has found a security flaw in Microsoft IIS 4.0/ 5.0 when handling a CGI file name. Exploitation of it, attacker can read system file and run arbitrary system command. Description£º ============ In CGI application (.exe, .pl, .php etc.) handling, Microsoft IIS 4.0/ 5.0 do not present an integrated security inspection of CGI file name, which may cause IIS to mistakenly open or run a file if a special character is contained in the file name. 1. Providing a malformed HTTP request that calls IIS to run a ".exe" or ".com" program under executable directory, IIS will try to load the program and check file existence and file type first. Attacker can trap the loading program to check a non-requested file by inserting a special character in the file name. If fulfilling these terms: (1) Target file exists (2) Target file is a batch file (3) Target file is a plain text file longer than zero byte IIS will automatically call "cmd.exe" to interpret it. Other part of file name requested is pass to "cmd.exe" as parameters of the batch file. Thus, an attacker can run arbitrary command by inserting some characters like "&". 2. If some script interpreter(php.exe, perl.exe etc.) and relevant mapping are installed, IIS will call them to interpret the file name submitted by user to run the corresponding CGI script. Inserting some special characters, attacker can trap the interpreter to open some file outside of WEB directory. Depending on the execution method of the interpreter, attacker may read part or even the full file content. Exploit: ========== [Proof of concept code will be available soon] Workaround: =================== Always remove unnecessary batch files, and keep necessary batch files in a different driver of any executable virtual directory. Vendor Status: ============== Microsoft has been informed on Oct 20th, 2000. Microsoft has released one security bulletin concerning this flaw on Nov 6th, 2000. The bulletin is live at : http://www.microsoft.com/technet/security/bulletin/MS00-086.asp Patches are available at: . Microsoft IIS 5.0: * English: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547 * Simplified Chinese: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25580 * Traditional Chinese: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25581 * German: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25582 * Japanese: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25583 Additional Information: ======================== The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0886 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. DISCLAIMS: ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. ?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <security () nsfocus com> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com)
Current thread:
- NSFOCUS SA2000-07 : Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability Nsfocus Security Team (Nov 08)