COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 4 (of not SP6/SP6a applied), 5

PROBLEM

    Following is based on a NSFOCUS SA2000-07.  NSFOCUS security  team
    has found a security flaw in Microsoft IIS 4.0/ 5.0 when  handling
    a CGI  file name.   Exploitation of  it, attacker  can read system
    file and run arbitrary system command.

    In CGI application (.exe, .pl, .php etc.) handling, Microsoft  IIS
    4.0/5.0 do not  present an integrated  security inspection of  CGI
    file name, which may cause IIS to mistakenly open or run a file if
    a special character is contained in the file name.

    1. Providing  a malformed  HTTP request  that calls  IIS to  run a
       ".exe" or ".com" program  under executable directory, IIS  will
       try to load the program and check file existence and file  type
       first.   Attacker  can  trap  the  loading  program  to check a
       non-requested file by inserting a special character in the file
       name.

       If fulfilling these terms:

        (1) Target file exists
        (2) Target file is a batch file
        (3) Target file is a plain text file longer than zero byte

       IIS will automatically call  "cmd.exe" to interpret it.   Other
       part of file name requested is pass to "cmd.exe" as  parameters
       of the batch file.  Thus, an attacker can run arbitrary command
       by inserting some characters like "&".

       Create  a  batch  file  "test.bat"  with arbitrary content like
       "abc" under  an executable  directory(e.g. /scripts  ).  Submit
       the following URL:

        http://site/scripts/test.bat"+&+dir+c:/+.exe (for IIS 5.0)
        or
        http://site/scripts/test.bat"+&+dir+c:/+.com

       You get file list under C:\

       Double quotation marks will be attached on the executable  file
       name by  IIS.   That's why  the of  request is  turned into the
       following format when it is passed to "CMD.exe".

        CMD.exe "D:\interpub\scripts\test.bat" & dir C:/ .exe"

       So,   an   attacker    can   run    arbitrary   command    with
       IUSER_machinename  privilege,  while  the  executable   virtual
       directory  is  unnecessary  to  be   on  the  same  driver   of
       "WINNT\system32\CMD.exe".

       For IIS 4.0 <SP6 and  IIS 4.0/5.0 with the patch  for MS00-057,
       we can use the following URL:

        http://site/scripts/test.bat"+"&+dir+c:/+.exe

       For  IIS  4.0  +  SP6/SP6a,  we  have  to combine with "%c1%1c"
       vulnerability:

        http://site/scripts/test.bat"+"+&+dir+c:/+/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/route.exe

       ("winnt/system32/route.exe" can be  replaced with any  existing
       executable program with a ".com" or ".exe" suffix.)

       Commands can be inserted in the URL parameter , for example:

        http://site/scripts/a.bat"+".exe?+&+dir

       An old patch for IIS  5.0 previously provided by Microsoft  did
       not take it into consideration.  It is suggested that you apply
       the new patch as soon as possible.

       Whereas IIS  executable directory  do not  have any  batch file
       under default installation, attacker can make use of this flaw:

       (1) On occasion  that  system  administrator  install some  CGI
           program which allow users to create files under  executable
           directory.  For example, some counter programs allow   user
           to create and name a data file though he can't  control the
           file content.  Attacker may  take the  chance and  run  any
           command.
       (2) MSSQL  and Perl  packages have  their own  batch files.  On
           occasion that system  administrator install MSSQL  or Perl,
           and  happened  to  be  in  the  same  driver  of  some  IIS
           executable virtual  directory, intruder  may carry  out the
           attack with this combining with "%c1%1c" vulnerability.

       For instance, NSSQL7 has  2 batch files under  "\install" under
       default installation:

        D:\mssql7\install\pubimage.bat
        D:\mssql7\install\pubtext.bat

       We can run arbitrary command by submitting the following URL if
       "\scripts"   directory   of    IIS   has    been   mapped    to
       "D:\interpub\scripts":

        http://site/scripts/..%c1%1c../..%c1%1c../mssql7/install/pubtext.bat"+&+dir+c:\+.exe

       In addition, websites  allow users to  upload ".bat" or  ".cmd"
       file may also suffer from this kind of attack.

    2. If some script interpreter(php.exe, perl.exe etc.) and relevant
       mapping are installed, IIS will call them to interpret the file
       name submitted  by user  to run  the corresponding  CGI script.
       Inserting  some  special  characters,  attacker  can  trap  the
       interpreter  to  open  some  file  outside  of  WEB  directory.
       Depending on the execution method of the interpreter,  attacker
       may read part or even the full file content.

       For  system  installed  php.exe(PHP3),  attacker  may read some
       files outside of WEB directory:

        http://target/."./."./winnt/win.ini%20.php3

SOLUTION

    Always remove unnecessary batch files, and keep necessary batch
    files in a different driver of any executable virtual directory.

    Patches (updated on Nov 21st) are available at:

        - IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q277873
        - IIS 5.0: http://www.microsoft.com/Windows2000/downloads/critical/q277873

    Note: The IIS 5.0 patch can be applied atop systems running either
    Windows 2000  Gold or  Service Pack  1.   It will  be included  in
    Windows 2000 Service Pack 2.

    Note:  The  IIS  4.0  patch  can  be  applied atop systems running
    Windows NT 4.0 Service Pack 6a.  It will be included in Windows NT
    4.0 Service Pack 7.