Tutorial - IIS Vulnerabilities

IIS Vulnerabilities

Updated 3/17/03

Impact

An attacker could send a specially constructed request which crashes the server, executes arbitrary code with the privileges of the web server, or reveals the source code of ASP pages.

Note: The stoplight on this page indicates the highest severity level for this category of vulnerabilities. Please refer to the dot beside the link to this tutorial on the previous page to find out the true severity level.

Background

Microsoft IIS web servers accept requests for a number of different types of files. The most common methods of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server additional information called headers which are not seen by the user. Information in the header can include browser type, content type, content length, and other information.

Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), and .IDQ files (Internet Data Query). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.

Windows 2000 supports the Web Distributed Authoring and Versioning (WebDAV) protocol, which is a set of extensions to the HTTP protocol which allow remote adding and editing of web pages. IIS 5.0 has WebDAV support enabled by default.

The Problems

IIS 5.0 WebDAV buffer overflow

3/17/03
CAN 2003-0109
A buffer overflow condition in ntdll.dll, which is used by the WebDAV component, could allow a remote attacker to gain Local System privileges by sending a specially crafted request to an IIS 5.0 web server. Only IIS 5.0 on Windows 2000 is affected by this vulnerability. Windows NT and Windows XP are not affected.

Multiple Vulnerabilities in IIS 4.0 - 5.1

4/11/02
Microsoft Security Bulletin 02-018 announced ten newly discovered vulnerabilities affecting IIS 4.0 through 5.1, ranging in impact from denial of service to execution of arbitrary code. Each of the following vulnerabilities affects IIS 4.0, 5.0, and/or 5.1:

Two buffer overflows affecting chunked encoding transfers via Active Server Pages (ASP) (CVE 2002-0079 CVE 2002-0147)
A buffer overflow in the processing of HTTP headers by spoofing the check of the delimiter fields (CVE 2002-0150)
A buffer overflow in the processing of server-side includes in ASP files (CVE 2002-0149)
A buffer overflow affecting the HTR ISAPI extension (CVE 2002-0071)
Denial-of-service conditions in the processing of error messages from ISAPI extensions and the processing of FTP status requests (CVE 2002-0072 CVE 2002-0073)
Three cross-site scripting vulnerabilities (CVE 2002-0074 CVE 2002-0075 CVE 2002-0148)

11/5/02
Microsoft Security Bulletin 02-062 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

A privilege elevation vulnerability affecting the way ISAPIs are launched when configured to run out of process (CAN 2002-0869)
A denial-of-service vulnerability in the processing of WebDAV requests (CAN 2002-1182)
An error which weakens the access control on uploading of .COM files to write-enabled virtual directories (CAN 2002-1180)
Two cross-site scripting vulnerabilities affecting the administrative web page (CAN 2002-1181)

Chunked .HTR buffer overflow

6/13/02
CVE 2002-0364
IIS web servers support chunked encoding, in which HTTP POST data is sent to the server in multiple parts. A heap overrun vulnerability in the ISAPI filter which handles requests for .HTR files could allow a remote attacker to execute arbitrary commands when chunked encoding is used. The requested .HTR file usually does not need to exist on the server in order for the vulnerability to be exploited.

IIS 4.0 and 5.0 are affected by this vulnerability if the .HTR application filter is enabled and the patch has not been applied. This is not the same vulnerability as the one described above.

Buffer Overflows in IIS 5.0

6/18/01
CVE 2001-0241
CVE 2001-0500

The DLLs which IIS 5.0 uses to process requests for .PRINTER files on Windows 2000, and for .IDA and .IDQ files on any Windows platform that has Indexing Services installed, contain buffer overflows. A remote attacker could execute arbitrary commands with full system privileges or create a denial of service by sending a specially crafted request for a .PRINTER, .IDA, or .IDQ file. In most cases the requested file does not need to exist on the web server in order for this vulnerability to be exploited, and exploitation of the DLLs that come with Indexing Services is possible even if Indexing Services are not running.

Due to the nature of this vulnerability, it could not be confirmed by a network scan (unless the dangerous tests option was chosen). The server is not vulnerable if any of the following conditions apply:

The patches for this vulnerability have already been applied
The mapping for the corresponding ISAPIs have been removed

Furthermore, IIS 4.0 servers are not affected by this vulnerability but are affected by a similar vulnerability. (See below.)

Folder Traversal in IIS 4.0 and 5.0

CVE 2000-0884
CVE 2001-0333

The "../" string in a pathname usually indicates a parent directory. IIS rejects URLs containing this string, thereby preventing web users from accessing files outside of the web document root directory. However, this safeguard can be averted by:

Representing part of the ../ string in a Unicode format, or
Using double encoding; that is, URL-encoding part of the ../ string, and then URL-encoding the resulting encoded string

Using either of these two exploits, it is possible for a remote user to bypass the safeguard and gain unauthorized access to any file or system command located on the same logical drive as the web root directory. The attacker would have the privileges of the IUSR_machinename account, where machinename is the name of the system. This account, if included in the Everyone and Users groups, could be used to execute almost any command on the system.

Buffer Overflows in IIS 4.0

CVE 1999-0874

In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.

This vulnerability could not be confirmed by a remote scan. The server is not vulnerable to this attack if any of the following conditions exist:

Windows NT 4.0 Service Pack 6 has been applied
The ext-fix hotfix has been applied
The workaround for this problem has been applied. That is, "check if this file exists" has been selected for each of the affected file types
The following three files do not exist on the server: ism.dll, ssinc.dll, and httpodbc.dll

If none of the above conditions exist, then the server is probably vulnerable.

CVE 2000-0226
An older buffer overflow affects IIS 4.0's implementation of chunked encoding and could allow an attacker to cause a denial of service with a large POST or PUT command.

Filename Inspection Vulnerability

CVE 2000-0886

When the web server receives a request for a .exe or .com file under an executable directory, the system calls cmd.exe to process the requested program. Anything following the filename in the request is interpreted as a command-line argument. Some arguments, such as an ampersand (&), could cause the remaining arguments to be interpreted as a new command. Thus, if an attacker knows the path and filename of a batch of .cmd file under an executable directory, he or she could run arbitrary commands by sending a specially crafted request for that file.

Similarly, script interpreters such as perl.exe and php.exe, could be tricked into running arbitrary commands by a specially crafted request for the corresponding type of file.

Specialized Header Vulnerability

CVE 2000-0778

One of the headers that can appear in an http request is Translate: f. This header is supposed to allow FrontPage2000, or any WebDAV compatible client, to retrieve the source code of scriptable pages for editing. Due to a bug, any client can retrieve the source code in this manner.

If good security practices are in use, the source code will not include any sensitive information, making this vulnerability minor. However, many scriptable pages on web servers include passwords or other sensitive information in the source, which could be used by an attacker to launch a more destructive attack.

Other vulnerabilities in IIS 4 and 5

CVE 2000-0770
CVE 2001-0151
CVE 2001-0507
There are several other vulnerabilities in IIS 4 and 5 which are not as critical as those listed above, but which still should be addressed. The first could allow an attacker to gain additional privileges to a file in IIS 4.0 and 5.0 by sending a specially crafted URL if a parent directory has less restrictive permissions than the file. The second could allow an attacker to create a denial of service against IIS 5.0 by sending a malformed WebDAV request to the server. The third is a privilege elevation vulnerability which arises in IIS 5.0 because the table that specifies which files can be run in-process uses both absolute and relative path names, allowing a file which is not in the table to possibly match a file name in the table.

Resolutions

Install the cumulative patch referenced in Microsoft Security Bulletin 02-062. Windows 2000 users must also install the patch referenced in Microsoft Security Bulletin 03-007 or apply one of several workarounds described in the same bulletin.

Where can I read more about this?

More information on the WebDAV buffer overflow is available in CERT Advisory 2003-09 and Microsoft Security Bulletin 03-007.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, and Microsoft Security Bulletin 02-062.

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the specialized header vulnerability is available from Bugtraq and Microsoft Security Bulletin 00-058.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.