Just when we all thought X-Force could not come up with anything
original........

-Steve

>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Internet Security Systems Security Alert
> May 15, 2001
>
> IIS URL Decoding Vulnerability
>
> Synopsis:
>
> A flaw exists in Microsoft Internet Information Server (IIS) that may
allow
> remote attackers to view directory structures, view and delete files,
execute
> arbitrary commands, and deny service to the server. It is possible for
> attackers to craft URLs that take advantage of a flaw in IIS URL decoding
> routines. Security mechanisms within these routines can be bypassed. All
> recent versions of IIS are affected by this vulnerability.
>
> Description:
>
> This vulnerability is very similar to the IIS Unicode Translation
> Vulnerability described at http://xforce.iss.net/alerts/advise68.php. As
> with the Unicode vulnerability, this is a variation of the common "dot
> dot" directory traversal attack. Older Web servers were vulnerable to this
> attack because the ".." directories in URLs allowed attackers to back out
> of the web root directory. This allowed attackers to navigate the file
> system or execute commands at will. IIS and most current Web servers have
> incorporated security measures to prevent the "dot dot" attack. These
> security measures deny all queries to URLs that contain too many leading
> slashes or ".." characters. The Unicode vulnerability was a result of
> improper handling of Unicode encoded ".." and "/" characters. This new
> vulnerability exploits another flaw in the IIS encoding mechanism that
> allows a similar result.
>
> When IIS receives a query on a server-side script, it performs a decoding
> pass on the request. The string is decoded into canonical form and
> numerous security checks are performed to ensure the request is valid. A
> second decoding routine is run on the request to parse the parameters
> after the filename. IIS mistakenly parses the filename again with these
> additional parameters. This flaw allows specially crafted requests which
> include ".." and "/" characters to bypass security checks.
>
> All queries are processed under the IUSR_machine context, which is part of
> the 'Everyone' and 'Users' group. This provides access to the web
> directory and most non-administrative functions. Attackers may not
> directly modify or delete files owned by the Administrator, nor run
> commands with privilege.
>
> By crafting a request after a virtual directory with execute permissions,
it
> is possible for an attacker to execute arbitrary commands. Attackers may
> then have the ability to manipulate the appearance of the Web site,
> download sensitive data, or install backdoor software.
>
> This class of IIS vulnerabilities is well known and lends itself to being
> widely exploited by incorporation into worms and automatic scanning tools.
>
> Affected Versions:
>
> Microsoft IIS 4.0
> Microsoft IIS 5.0
>
> Older versions of IIS are not vulnerable.
>
> Recommendations:
>
> Please refer to the following Microsoft Bulletins for information on the
> patches:
>
> Microsoft IIS 4.0:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787
> Microsoft IIS 5.0:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764
>
>
> ISS RealSecure Intrusion Detection customers may use following
> user-defined signature to detect exploitation attempts. Follow the
> instructions below to apply the user-defined signature to your policy.
>
> - From the Sensor window:
> 1. Right-click on the sensor and select 'Properties'.
> 2. Choose a policy you want to use, and click 'Customize'.
> 3. Select the 'User Defined Events' tab.
> 4. Click 'Add' on the right hand side of the dialog box.
> 5. Create a User Defined Event.
> 6. Type in a name of the event, such as "IIS URL Decoding Vulnerability".
> 7. In the 'Context' field for the event, select 'URL_Data'. In the
'String'
> field, type the following string:
> %5c|%2e|%2f
> 9. Click 'Save', and then 'Close'.
> 10. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version
of
> RealSecure you are using.
>
> This signature detects all publicly known versions of this attack. It
looks
> for the strings "%5c", "%2e", or "%2f" in a HTTP GET request. These
> strings show up in requests that attempt to exploit this vulnerability.
> RealSecure decodes all of the escaped characters in the request before
> passing it on to the user-defined signatures.
>
> The ISS X-Force will provide additional functionality to detect this
> vulnerability in upcoming X-Press Updates for RealSecure and System
> Scanner.
>
> Additional Information:
>
> Please refer to the Microsoft Security Bulletin on this vulnerability:
> http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
> CAN-2001-0333 to this issue. This is a candidate for inclusion in the CVE
> list (http://cve.mitre.org), which standardizes names for security
> problems.
>
> ______
>
> About Internet Security Systems (ISS)
>
> Internet Security Systems, Inc. is a leading global provider of security
> management solutions for the Internet, protecting digital assets and
> ensuring safe and uninterrupted e-business. With its industry-leading
> intrusion detection and vulnerability assessment, remote managed security
> services, and strategic consulting and education offerings, ISS is a
> trusted security provider to more than 8,000 customers worldwide including
> 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
> telecommunications companies. Founded in 1994, ISS is headquartered in
> Atlanta, GA, with additional offices throughout North America and
> international operations in Asia, Australia, Europe, Latin America and the
> Middle East. For more information, visit the Internet Security Systems
> web site at www.iss.net or call 888-901-7477.
>
>
> Copyright (c) 2001 Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this Alert
> electronically. It is not to be edited in any way without express consent
of
> the X-Force. If you wish to reprint the whole or any part of this Alert in
> any other medium excluding electronic medium, please e-mail xforceiss.net
> for permission.
>
>
> Disclaimer
>
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
are
> NO warranties with regard to this information. In no event shall the
author
> be liable for any damages whatsoever arising out of or in connection with
> the use or spread of this information. Any use of this information is at
the
> user's own risk.
>
>
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
> as well as on MIT's PGP key server and PGP.com's key server.
>
> Please send suggestions, updates, and comments to: X-Force
> xforceiss.net of Internet Security Systems, Inc.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
>
> iQCVAwUBOwF54zRfJiV99eG9AQH92wP+OiuSNiS8RjtzxITB7kCTrzsQbatpFNwQ
> e/DfDd6m7HKqcyW2XRHKspRdMJpfQYOv2IZ32+Wxnctbir7qO/leeSOtZZmpxrGZ
> ateXoWFMcdqYN8A3V6MzumK0qxXWQeXnJZysGJiYsWxZfnIpBdopV5KE5ZUBYFRE
> vJB3buUg5uU=
> =pj+e
> -----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]