COMMAND
IIS
SYSTEMS AFFECTED
Microsoft Internet Information Server (IIS) 4
PROBLEM
Nu Omega Tau found following. Extended unicode is an exploit
found in october 2000 by an unknown person, rfp did further
research on this. Later on, variants were found, such as using
the /msadc directory instead of /scripts and user different ways
of unicode encoding. All these techniques had their pro's and
con's, the /scripts method worked on both IIS4 and 5, but didn't
work if the wwwroot directory was on a different partition then
the winnt directory. The /msadc method solved this as the /msadc
directory is in \program files which is usually on the same
partition as the winnt dir, the msadc method though doesn't work
with IIS5.
Both of the methods still had a common flaw, the name of the
winnt directory must be known for the exploit to work, with this
new method, this isn't the case. This method only works with IIS4
though.
When using the /iisadmpwd which is a subdirectory of the windows
nt directory, it is not necessary to specify the windows nt
directory. We can just do
http://target.machine/iisadmpwd/..%c0%af../cmd.exe?/c+dir
as you can see, we don't specify any directory, but get back:
Directory of C:\WINDOWS\System32\inetsrv\iisadmpwd
01/01/00 11:11a <DIR> .
01/01/00 11:11a <DIR> ..
01/01/00 11:11p 1,902 achg.htr
(...)
We can imagine admins scanning their network with home-made
scripts for vulnerabilities and only fixing machines where the
vulnerabilities are found. When the installation directory is
not winnt, the vulnerability wouldn't be detected but still can
be exploited if the machine isn't patched.
SOLUTION
This is not a new problem and DOES NOT require a new patch, if
you haven't applied the unicode patch yet because the technique
didn't work on your system, it may be a good idea to do so now.
The patch can be found at
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23667