Tutorial - Microsoft IIS Vulnerabilities

Microsoft IIS Vulnerabilities

Updated 10/22/02
CVE 1999-0191
CAN 1999-0736
CAN 1999-0738
CAN 1999-0739

Impact

Remote users can view files to which they should not have access or cause a denial of service.

Background

Microsoft IIS includes sample web sites to assist web developers. It also include the files CodeBrws.asp, Code.asp, and Showcode.asp to allow web developers to view the code that makes the sample web sites work.

The Problem

CAN 1999-0736
CAN 1999-0738
CAN 1999-0739
These three ASP files (CodeBrws.asp, Code.asp, and Showcode.asp) could allow a remote user to view any files on the same logical disk as the ASP files. In order to exploit the vulnerability, an attacker would need to know the name and path of the file to view. Also, files whose access control lists deny read access could not be viewed by exploiting this vulnerability. IIS 4.0 is affected by this vulnerability. IIS 5.0 includes a fix, but arbitrary files can still be viewed by using the Unicode representation of the dot-dot-slash string.

CVE 1999-0191
The newdsn.exe program which is included in Microsoft IIS 3.0 is used for Microsoft Access data source creation. However, it is accessible remotely, and there is insufficient validation of the requested file name, thereby allowing remote attackers to create database (*.mdb) files anywhere on the hard drive, or to overwrite arbitrary files. An attacker could exploit this capability to create a denial of service.

Resolutions

Delete the following files. They are for demonstration purposes only and there is usually no need for them on an operational web server. (IIS_DIRECTORY is the path to the directory containing the IIS files.)

IIS_DIRECTORY\iissamples\Exair\Howitworks\Code.asp IIS_DIRECTORY\iissamples\Exair\Howitworks\Codebrws.asp IIS_DIRECTORY\iissamples\Sdk\Asp\Docs\Codebrws.asp \Program_Files\Common_Files\System\Msadc\Samples\Selector\Showcode.asp

IIS_DIRECTORY\scripts\tools\newdsn.exe

If these files are needed on your web server, then set the access control list for these files to allow access only by authorized users. It would also be a good idea to install the hotfix described in Microsoft Knowledge Base article Q232449 on IIS 4.0 servers, but keep in mind that it doesn't prevent exploitation using Unicode encoded characters.

Where can I read more about this?

More information on the vulnerabilities in Code.asp, Codebrws.asp, and Showcode.asp is available from Microsoft Knowledge Base article Q232449 and Microsoft Security Bulletin 99-013. More information on the Unicode exploit is available from Bugtraq.

More information on the newdsn.exe vulnerability can be found in Bugtraq.