Microsoft IIS 4.0/5.0 CGI File Name Inspection details ------------------------------------------------------------------------ SUMMARY The NSFOCUS security team has found a security flaw in Microsoft IIS 4.0/5.0 CGI handling mechanism. Exploitation of this security hole enables an attacker to read system files and run arbitrary system command. DETAILS In CGI application (.exe, .pl, .php etc.) handling, Microsoft IIS 4.0/5.0 does not present an integrated security inspection of CGI file name, which may cause IIS to mistakenly open or run a file if a special character is contained in the file name. 1. When providing a malformed HTTP request that calls IIS to run an ".exe" or ".com" program under an executable directory, IIS will try to load the program and check for file existence and file type first. An attacker can trap the loading program to check a file that was not requested by inserting a special character in the file name. If the following is true: (1) The target file exists (2) The target file is a batch file (3) The target file is a plain text file longer than zero byte IIS will automatically call "cmd.exe" to interpret it. Other parts of the requested file name are passed to "cmd.exe" as arguments to the batch file. Thus, an attacker can run arbitrary command by inserting characters such as "&". 2. If a script interpreter (php.exe, perl.exe etc.) is installed, IIS will call it to interpret the file name submitted by user and run the corresponding CGI script. Inserting some special characters enables the attacker to trap the interpreter and force it to open files outside the WEB directory. Depending on the execution method of the interpreter, the attacker may read partial or even the full file content. Workaround: Always remove unnecessary batch files, and keep necessary batch files on a separate drive from any executable virtual directory. Vendor Status: Microsoft has released an advisory about this issue: we have reported about it in a previous article: <http://www.securiteam.com/windowsntfocus/Web_Server_File_Request_Parsing_vulnerability__Patch_available_.html> Web Server File Request Parsing vulnerability (Patch available) -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
