Microsoft IIS Vulnerabilities
Updated 10/22/02
CVE 1999-0191
CAN 1999-0736
CAN 1999-0738
CAN 1999-0739
Impact
Remote users can view files to which they should not have access or cause a denial of service.
Background
Microsoft IIS includes sample web sites to assist web developers.
It also include the files CodeBrws.asp,
Code.asp, and Showcode.asp to allow
web developers to view the code that makes the sample web sites work.
The Problem
CAN 1999-0736
CAN 1999-0738
CAN 1999-0739
These three ASP files (CodeBrws.asp, Code.asp, and
Showcode.asp) could allow a remote user to view any files
on the same logical disk as the ASP files.
In order to exploit the vulnerability, an attacker would need to
know the name and path of the file to view. Also, files whose
access control lists deny read access could not be viewed by exploiting
this vulnerability. IIS 4.0 is affected by this vulnerability.
IIS 5.0 includes a fix, but arbitrary files can still be viewed
by using the Unicode representation of the dot-dot-slash string.
CVE 1999-0191
The newdsn.exe program which is included
in Microsoft IIS 3.0 is used for Microsoft Access
data source creation. However, it is accessible remotely,
and there is insufficient validation of the requested
file name, thereby allowing remote attackers to create
database (*.mdb) files anywhere on the
hard drive, or to overwrite arbitrary files. An attacker
could exploit this capability to create a denial of service.
Resolutions
Delete the following files. They are
for demonstration purposes only and there is usually no need
for them on an operational web server. (IIS_DIRECTORY
is the path to the directory containing the IIS files.)
- IIS_DIRECTORY\iissamples\Exair\Howitworks\Code.asp
- IIS_DIRECTORY\iissamples\Exair\Howitworks\Codebrws.asp
- IIS_DIRECTORY\iissamples\Sdk\Asp\Docs\Codebrws.asp
- \Program_Files\Common_Files\System\Msadc\Samples\Selector\Showcode.asp
- IIS_DIRECTORY\scripts\tools\newdsn.exe
If these files are needed on your web server, then set the
access control list for these files to allow access only by authorized users.
It would also be a good idea to install the hotfix described in
Microsoft Knowledge Base article Q232449 on IIS 4.0 servers, but
keep in mind that it doesn't prevent exploitation using
Unicode encoded characters.
Where can I read more about this?
More information on the vulnerabilities in Code.asp,
Codebrws.asp, and Showcode.asp is available
from Microsoft Knowledge Base article
Q232449 and Microsoft Security Bulletin
99-013. More information on the Unicode exploit is available
from Bugtraq.
More information on the newdsn.exe
vulnerability can be found in
Bugtraq.