Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Tue May 15 2001 - 18:23:36 CDT
Just when we all thought X-Force could not come up with anything
> -----BEGIN PGP SIGNED MESSAGE-----
> Internet Security Systems Security Alert
> May 15, 2001
> IIS URL Decoding Vulnerability
> A flaw exists in Microsoft Internet Information Server (IIS) that may
> remote attackers to view directory structures, view and delete files,
> arbitrary commands, and deny service to the server. It is possible for
> attackers to craft URLs that take advantage of a flaw in IIS URL decoding
> routines. Security mechanisms within these routines can be bypassed. All
> recent versions of IIS are affected by this vulnerability.
> This vulnerability is very similar to the IIS Unicode Translation
> Vulnerability described at http://xforce.iss.net/alerts/advise68.php. As
> with the Unicode vulnerability, this is a variation of the common "dot
> dot" directory traversal attack. Older Web servers were vulnerable to this
> attack because the ".." directories in URLs allowed attackers to back out
> of the web root directory. This allowed attackers to navigate the file
> system or execute commands at will. IIS and most current Web servers have
> incorporated security measures to prevent the "dot dot" attack. These
> security measures deny all queries to URLs that contain too many leading
> slashes or ".." characters. The Unicode vulnerability was a result of
> improper handling of Unicode encoded ".." and "/" characters. This new
> vulnerability exploits another flaw in the IIS encoding mechanism that
> allows a similar result.
> When IIS receives a query on a server-side script, it performs a decoding
> pass on the request. The string is decoded into canonical form and
> numerous security checks are performed to ensure the request is valid. A
> second decoding routine is run on the request to parse the parameters
> after the filename. IIS mistakenly parses the filename again with these
> additional parameters. This flaw allows specially crafted requests which
> include ".." and "/" characters to bypass security checks.
> All queries are processed under the IUSR_machine context, which is part of
> the 'Everyone' and 'Users' group. This provides access to the web
> directory and most non-administrative functions. Attackers may not
> directly modify or delete files owned by the Administrator, nor run
> commands with privilege.
> By crafting a request after a virtual directory with execute permissions,
> is possible for an attacker to execute arbitrary commands. Attackers may
> then have the ability to manipulate the appearance of the Web site,
> download sensitive data, or install backdoor software.
> This class of IIS vulnerabilities is well known and lends itself to being
> widely exploited by incorporation into worms and automatic scanning tools.
> Affected Versions:
> Microsoft IIS 4.0
> Microsoft IIS 5.0
> Older versions of IIS are not vulnerable.
> Please refer to the following Microsoft Bulletins for information on the
> Microsoft IIS 4.0:
> Microsoft IIS 5.0:
> ISS RealSecure Intrusion Detection customers may use following
> user-defined signature to detect exploitation attempts. Follow the
> instructions below to apply the user-defined signature to your policy.
> - From the Sensor window:
> 1. Right-click on the sensor and select 'Properties'.
> 2. Choose a policy you want to use, and click 'Customize'.
> 3. Select the 'User Defined Events' tab.
> 4. Click 'Add' on the right hand side of the dialog box.
> 5. Create a User Defined Event.
> 6. Type in a name of the event, such as "IIS URL Decoding Vulnerability".
> 7. In the 'Context' field for the event, select 'URL_Data'. In the
> field, type the following string:
> 9. Click 'Save', and then 'Close'.
> 10. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version
> RealSecure you are using.
> This signature detects all publicly known versions of this attack. It
> for the strings "%5c", "%2e", or "%2f" in a HTTP GET request. These
> strings show up in requests that attempt to exploit this vulnerability.
> RealSecure decodes all of the escaped characters in the request before
> passing it on to the user-defined signatures.
> The ISS X-Force will provide additional functionality to detect this
> vulnerability in upcoming X-Press Updates for RealSecure and System
> Additional Information:
> Please refer to the Microsoft Security Bulletin on this vulnerability:
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> CAN-2001-0333 to this issue. This is a candidate for inclusion in the CVE
> list (http://cve.mitre.org), which standardizes names for security
> About Internet Security Systems (ISS)
> Internet Security Systems, Inc. is a leading global provider of security
> management solutions for the Internet, protecting digital assets and
> ensuring safe and uninterrupted e-business. With its industry-leading
> intrusion detection and vulnerability assessment, remote managed security
> services, and strategic consulting and education offerings, ISS is a
> trusted security provider to more than 8,000 customers worldwide including
> 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
> telecommunications companies. Founded in 1994, ISS is headquartered in
> Atlanta, GA, with additional offices throughout North America and
> international operations in Asia, Australia, Europe, Latin America and the
> Middle East. For more information, visit the Internet Security Systems
> web site at www.iss.net or call 888-901-7477.
> Copyright (c) 2001 Internet Security Systems, Inc.
> Permission is hereby granted for the redistribution of this Alert
> electronically. It is not to be edited in any way without express consent
> the X-Force. If you wish to reprint the whole or any part of this Alert in
> any other medium excluding electronic medium, please e-mail xforceiss.net
> for permission.
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
> NO warranties with regard to this information. In no event shall the
> be liable for any damages whatsoever arising out of or in connection with
> the use or spread of this information. Any use of this information is at
> user's own risk.
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
> as well as on MIT's PGP key server and PGP.com's key server.
> Please send suggestions, updates, and comments to: X-Force
> xforceiss.net of Internet Security Systems, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
> -----END PGP SIGNATURE-----
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net