COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 5.0 with patch Q277873 applied (the patch is the problem)

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #30.
    IIS 5.0 with patch Q277873 allows executing arbitrary commands  on
    the web server.

    If patch Q277873 is  installed on IIS 5.0  then it is possible  to
    execute arbitrary programs on the web server.  The following URL:

        http://SOMEHOST/scripts/georgi.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c%20dir%20C:\

    executes "DIR C:\".   When you are prompted  save the output to  a
    file.  It is possble to  play with the MSADC directory instead  of
    scripts.  It is also possible to read most files using:

        http://SOMEHOST/scripts/georgi.asp/..%C1%9C..%C1%9C..%C1%9Ctest.txt

    Microsoft issued:  Microsoft Security  Bulletin (MS00-086)   which
    installs  patch  Q277873.    Unfortunately  patch  Q277873   opens
    another vulnerability  which allows  executing arbitrary  programs
    on the web server.

SOLUTION

    Patched.  See:

        http://oliver.efri.hr/~crv/security/bugs/NT/iis84.html

    for new patches.