COMMAND

    IIS

SYSTEMS AFFECTED

    - Microsoft IIS 4.0 for Far East editions ( < SP6 )
    - Microsoft IIS 5.0 for Far East editions (Chinese (Traditional and Simplified), Japanese, and Korean (Hangeul))

PROBLEM

    Following  is  based  on  a  NSFOCUS  Security Advisory SA2000-08.
    NSFOCUS security team has found  a security flaw in Microsoft  IIS
    4.0/5.0  (Far  East  editions)  when  responding to a HTTP request
    containing incomplete double-byte characters(DBCS).  It could lead
    to exposure of files under Web directory to a remote attacker.

    Microsoft IIS for Far  East editions include Chinese  (Traditional
    and Simplified), Japanese, and Korean (Hangeul), all of which  use
    double-byte character set(DBCS).  When IIS receives a HTTP request
    with non-ASCII character in the file name, it will check if it  is
    a lead-byte(Lead-byte ranges:  0x81 - 0x9F,  0xE0 - 0xFC).   If it
    is,  then  IIS  go  on  checking  for  a  trail-byte.   And  if  a
    trail-byte is not available,  IIS will simply drop  the lead-byte.
    All this will result in an opening of a different file.

    Submitting a malformed URL, attacker  can entrap IIS to call  some
    certain  ISAPI  DLL,  open  some  kinds  of  file  that it can not
    interpret.   attacker may  obtain the  content of  file like plain
    text  file  (.asp,  .ini,  .asa  etc.)or binary system file (.exe)
    under Web or virtual directory.

    Proof of concept code will be available soon.

SOLUTION

    Non-affected system:

        - Microsoft IIS 4.0 for Far East editions( SP6/SP6a )
        - Microsoft IIS 5.0/4.0 other editions

    This problem has been solved in  IIS 4.0 with SP6 before it  comes
    forth again in IIS 5.0.

    Workaround:

        1. Remove unnecessary ISAPI mapping like HTR, HTW,IDQ etc.
        2. Turn on "Check that file exists" option in every  necessary
           ISAPI mapping.
        3. If you are using vulnerable IIS 4.0 with prior SP6,  update
           to SP6.