IIS Vulnerabilities

Updated (3.3.2)

CVE 1999-0874
CVE 2000-0778
CVE 2000-0884
CVE 2000-0886

Impact

An attacker could send a specially constructed request which crashes the server, executes arbitrary code with the privileges of the web server, or reveals the source code of ASP pages.

Note: The stoplight on this page indicates the highest severity level for this category of vulnerabilities. Please refer to the dot beside the link to this tutorial on the previous page to find out the true severity level.

Background

Microsoft IIS web servers accept requests for a number of different types of files. The most common methods of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server additional information called headers which are not seen by the user. Information in the header can include browser type, content type, content length, and other information.

Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), and .IDQ files (Internet Data Query). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.

The Problem


Buffer Overflows in IIS 5.0

The DLLs which IIS 5.0 uses to process requests for .PRINTER files on Windows 2000, and for .IDA and .IDQ files on any Windows platform that has Indexing Services installed, contain buffer overflows. A remote attacker could execute arbitrary commands with full system privileges or create a denial of service by sending a specially crafted request for a .PRINTER, .IDA, or .IDQ file. In most cases the requested file does not need to exist on the web server in order for this vulnerability to be exploited, and exploitation of the DLLs that come with Indexing Services is possible even if Indexing Services are not running.

Due to the nature of this vulnerability, it could not be confirmed by a network scan (unless the dangerous tests option was chosen). The server is not vulnerable if any of the following conditions apply:

Furthermore, IIS 4.0 servers are not affected by this vulnerability but are affected by a similar vulnerability. (See below.)


Folder Traversal in IIS 4.0 and 5.0

CVE 1999-0874

The "../" string in a pathname usually indicates a parent directory. IIS rejects URLs containing this string, thereby preventing web users from accessing files outside of the web document root directory. However, this safeguard can be averted by:

  1. Representing part of the ../ string in a Unicode format, or
  2. Using double encoding; that is, URL-encoding part of the ../ string, and then URL-encoding the resulting encoded string
Using either of these two exploits, it is possible for a remote user to bypass the safeguard and gain unauthorized access to any file or system command located on the same logical drive as the web root directory. The attacker would have the privileges of the IUSR_machinename account, where machinename is the name of the system. This account, if included in the Everyone and Users groups, could be used to execute almost any command on the system.


Buffer Overflow in IIS 4.0

CVE 1999-0874

In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.

This vulnerability could not be confirmed by a remote scan. The server is not vulnerable to this attack if any of the following conditions exist:

If none of the above conditions exist, then the server is probably vulnerable.


Filename Inspection Vulnerability

CVE 2000-0886

When the web server receives a request for a .exe or .com file under an executable directory, the system calls cmd.exe to process the requested program. Anything following the filename in the request is interpreted as a command-line argument. Some arguments, such as an ampersand (&), could cause the remaining arguments to be interpreted as a new command. Thus, if an attacker knows the path and filename of a batch of .cmd file under an executable directory, he or she could run arbitrary commands by sending a specially crafted request for that file.

Similarly, script interpreters such as perl.exe and php.exe, could be tricked into running arbitrary commands by a specially crafted request for the corresponding type of file.


Specialized Header Vulnerability

CVE 2000-0884

One of the headers that can appear in an http request is Translate: f. This header is supposed to allow FrontPage2000, or any WebDAV compatible client, to retrieve the source code of scriptable pages for editing. Due to a bug, any client can retrieve the source code in this manner.

If good security practices are in use, the source code will not include any sensitive information, making this vulnerability minor. However, many scriptable pages on web servers include passwords or other sensitive information in the source, which could be used by an attacker to launch a more destructive attack.

Resolutions

For the buffer overflows in IIS 5.0, apply the patches. Patch information is available from the Microsoft Security Bulletins. Windows 2000 users should refer to 01-023 and 01-033. Windows NT users only need to refer to 01-033.

For the folder traversal vulnerability, apply the patch. Patch information for Unicode translation is available from Microsoft Security Bulletin 00-078. Patch information for double encoding is available from Microsoft Security Bulletin 01-026.

For the buffer overflow in IIS 4.0, install Service Pack 6. If you do not wish to install the service pack, then install the ext-fix hotfix or apply the workaround for this vulnerability. See Microsoft Knowledge Base article Q234905 for information on the hotfix and the workaround.

For the filename inspection vulnerability, install the patch referenced in Microsoft Security Bulletin 00-086.

For the specialized header vulnerability, install the patch.

Where can I read more about this?

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the specialized header vulnerability is available from Bugtraq and Microsoft Security Bulletin 00-058.