COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 4, 5

PROBLEM

    Following is based on a Internet Security Systems Security  Alert.
    A flaw exists in Microsoft Internet Information Server (IIS)  that
    may allow remote attackers to view directory structures, view  and
    delete files, execute arbitrary commands, and deny service to  the
    server.   It is  possible for  attackers to  craft URLs  that take
    advantage  of  a  flaw  in  IIS  URL  decoding routines.  Security
    mechanisms  within  these  routines  can  be bypassed.  All recent
    versions of IIS are affected by this vulnerability.

    This vulnerability is very similar to the IIS Unicode  Translation
    Vulnerability we had before.   As with the Unicode  vulnerability,
    this is a  variation of the  common "dot dot"  directory traversal
    attack.  Older Web servers were vulnerable to this attack  because
    the ".." directories in URLs allowed attackers to back out of  the
    web root directory.  This  allowed attackers to navigate the  file
    system  or  execute  commands  at  will.  IIS and most current Web
    servers have  incorporated security  measures to  prevent the "dot
    dot" attack.   These security  measures deny  all queries  to URLs
    that contain  too many  leading slashes  or ".."  characters.  The
    Unicode vulnerability was a result of improper handling of Unicode
    encoded ".." and "/" characters.  This new vulnerability  exploits
    another flaw in the IIS  encoding mechanism that allows a  similar
    result.

    When IIS receives a query  on a server-side script, it  performs a
    decoding  pass  on  the  request.   The  string  is  decoded  into
    canonical  form  and  numerous  security  checks  are performed to
    ensure the request is valid.  A second decoding routine is run  on
    the  request  to  parse  the  parameters  after the filename.  IIS
    mistakenly  parses  the  filename  again  with  these   additional
    parameters.   This flaw  allows specially  crafted requests  which
    include ".." and "/" characters to bypass security checks.

    All queries are processed under the IUSR_machine context, which is
    part of the 'Everyone' and 'Users' group.  This provides access to
    the  web   directory  and   most  non-administrative    functions.
    Attackers may  not directly  modify or  delete files  owned by the
    Administrator, nor run commands with privilege.

    By  crafting  a  request  after  a  virtual directory with execute
    permissions, it is possible  for an attacker to  execute arbitrary
    commands.  Attackers may then  have the ability to manipulate  the
    appearance of the  Web site, download  sensitive data, or  install
    backdoor software.

    This class of IIS vulnerabilities  is well known and lends  itself
    to  being  widely  exploited  by  incorporation  into  worms   and
    automatic scanning tools.

    Older versions of IIS are not vulnerable.

SOLUTION

    Please refer to the following Microsoft Bulletins for  information
    on the patches:

        Microsoft IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787
        Microsoft IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764