Note: The stoplight on this page indicates the highest severity level for this category of vulnerabilities. Please refer to the dot beside the link to this tutorial on the previous page to find out the true severity level.
Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), and .IDQ files (Internet Data Query). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.
Windows 2000 supports the Web Distributed Authoring and Versioning (WebDAV) protocol, which is a set of extensions to the HTTP protocol which allow remote adding and editing of web pages. IIS 5.0 has WebDAV support enabled by default.
4/11/02
Microsoft
Security Bulletin 02-018 announced ten newly discovered
vulnerabilities affecting IIS 4.0 through 5.1, ranging in
impact from denial of service to execution of arbitrary code.
Each of the following vulnerabilities affects IIS 4.0, 5.0, and/or
5.1:
11/5/02
Microsoft
Security Bulletin 02-062 announced four more vulnerabilities
affecting IIS 4.0, 5.0, and/or 5.1:
6/13/02
CVE 2002-0364
IIS web servers support chunked encoding, in which
HTTP POST data is sent to the server in multiple
parts. A heap overrun vulnerability in the ISAPI filter
which handles requests for .HTR files could allow a remote
attacker to execute arbitrary commands when chunked encoding
is used. The requested .HTR file usually does not need to
exist on the server in order for the vulnerability to be exploited.
IIS 4.0 and 5.0 are affected by this vulnerability if the .HTR application filter is enabled and the patch has not been applied. This is not the same vulnerability as the one described above.
6/18/01
CVE 2001-0241
CVE 2001-0500
The DLLs which IIS 5.0 uses to process requests for .PRINTER files on Windows 2000, and for .IDA and .IDQ files on any Windows platform that has Indexing Services installed, contain buffer overflows. A remote attacker could execute arbitrary commands with full system privileges or create a denial of service by sending a specially crafted request for a .PRINTER, .IDA, or .IDQ file. In most cases the requested file does not need to exist on the web server in order for this vulnerability to be exploited, and exploitation of the DLLs that come with Indexing Services is possible even if Indexing Services are not running.
Due to the nature of this vulnerability, it could not be confirmed by a network scan (unless the dangerous tests option was chosen). The server is not vulnerable if any of the following conditions apply:
The "../" string in a pathname usually indicates a parent directory. IIS rejects URLs containing this string, thereby preventing web users from accessing files outside of the web document root directory. However, this safeguard can be averted by:
In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.
This vulnerability could not be confirmed by a remote scan. The server is not vulnerable to this attack if any of the following conditions exist:
If none of the above conditions exist, then the server is probably vulnerable.
CVE 2000-0226
An older buffer overflow affects IIS 4.0's implementation
of chunked encoding and could allow an attacker to cause a
denial of service with a large POST or
PUT command.
When the web server receives a request for a .exe or .com file under an executable directory, the system calls cmd.exe to process the requested program. Anything following the filename in the request is interpreted as a command-line argument. Some arguments, such as an ampersand (&), could cause the remaining arguments to be interpreted as a new command. Thus, if an attacker knows the path and filename of a batch of .cmd file under an executable directory, he or she could run arbitrary commands by sending a specially crafted request for that file.
Similarly, script interpreters such as perl.exe and php.exe, could be tricked into running arbitrary commands by a specially crafted request for the corresponding type of file.
One of the headers that can appear in an http request is Translate: f. This header is supposed to allow FrontPage2000, or any WebDAV compatible client, to retrieve the source code of scriptable pages for editing. Due to a bug, any client can retrieve the source code in this manner.
If good security practices are in use, the source code will not include any sensitive information, making this vulnerability minor. However, many scriptable pages on web servers include passwords or other sensitive information in the source, which could be used by an attacker to launch a more destructive attack.
CVE 2000-0770
CVE 2001-0151
CVE 2001-0507
There are several other vulnerabilities in IIS 4 and 5 which are not
as critical as those listed above, but which still should
be addressed. The first could allow an attacker to gain additional
privileges to a file in IIS 4.0 and 5.0 by sending a specially crafted URL if
a parent directory has less restrictive permissions than the
file. The second could allow an attacker to create a denial
of service against IIS 5.0 by sending a malformed WebDAV request to the
server. The third is a privilege elevation vulnerability
which arises in IIS 5.0 because the table that specifies
which files can be run in-process uses both absolute and relative
path names, allowing a file which is not in the table to
possibly match a file name in the table.
More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.
More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, and Microsoft Security Bulletin 02-062.
More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.
More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.
More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.
More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.
More information on the specialized header vulnerability is available from Bugtraq and Microsoft Security Bulletin 00-058.
More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.