Re: IIS 3.0 pen-test

[Parth Galen <Parth_Galen () ziplip com>]

As I understand it (and I am open to correction or clarification), the \scripts folder is like the current directory 
and where you are getting the execute right even though you are executing cmd.exe in another folder.  Unless you can 
find another folder with execute rights and that can traversial back to %systemroot%, you are out of luck.  

Below are the folders with execute rights in IIS 4, but I do not know how well this matches to IIS 3. 


/W3SVC/ROOT/msadc (to physical mapping) c:\program files\common\system\msadc 

/W3SVC/ROOT/News (to physical mapping) c:\inetpub\news 

/W3SVC/ROOT/Mail (to physical mapping) c:\inetpub\mail 

/W3SVC/ROOT/cgi-bin (to physical mapping) c:\inetpub\wwwroot\cgi-bin 

/W3SVC/ROOT/SCRIPTS (to physical mapping) c:\inetpub\scripts 

/W3SVC/ROOT/IISADMPWD (to physical mapping) c:\winnt\system32\inetsrv\iisadmpwd 

/W3SVC/ROOT/_vti_bin (to physical mapping) Installed with FrontPage Extensions 

/W3SVC/ROOT/_vti_bin/_vti_adm (to physical mapping) 

/W3SVC/ROOT/_vti_bin/_vti_aut (to physical mapping) 


Good luck!

Parth

> -----Original Message-----
> From: Alex Balayan [mailto:alex.balayan () Nettasking com]
> Sent: Thursday, July 05, 2001, 9:36 AM
> To: "'pen-test () securityfocus com'" <pen-test () securityfocus com>
> Cc: "'Security-basics () securityfocus com'" <Security-basics () securityfocus com>
> Subject: IIS 3.0 pen-test
>
> Hi all,
>
> I am conducting a penetration test for one of our clients and some of the
> webservers they are running are IIS 3.0.
>
> Well besides the rest of the vulnerabilites with MS IIS 3.0, I tested the
> servers for Unicode and it seemed they were vulnerable. ( I check using a
> perl script that I found on Packetstorm) it discovered that the servers were
> vulnerable to various forms of the unicode vulnerability.
>
> Ok, now to the meat of it. I opened my browser and attempted a directory
> listing using the scripts directory (which I know existed). I got an error
> saying "HTTP/1.0 403 Access Forbidden (Execute Access Denied -This Virtual
> Directory does not allow objects to be executed.)"
>
> I'm guessing that execution of commands is not allowed on that directory.
>
> I also tried with the msadc directory (which I know existed), but with the
> same result as above.
>
> Does anyone have any ideas on this one? I basically want to knwo if it's
> possible to use the uni code vulnerbaility to execute commands remotely.
>
> Thanks in advance.
>
>
> ------------------------------------------------------------------------------
> --------
>
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service
> For more information on SecurityFocus' SIA service which automatically alerts
> you to 
> the latest security vulnerabilities please see:
>
> https://alerts.securityfocus.com/


Never ascribe to malice that which can be explained by incompetence.  -- Napoleon

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/