IIS decodes filenames superfluously after applying security checks

Overview

Microsoft IIS decodes filenames after applying security checks, allowing an attacker to execute commands.

Description

To accomodate complex URIs, RFC 2396 specifies a means to encode arbitrary octets using hexadecimal characters and the percent sign (%). Quoting from RFC 2396:

An escaped octet is encoded as a character triplet, consisting of the percent character “%” followed by the two hexadecimal digits representing the octet code. For example, “%20” is the escaped encoding for the US-ASCII space character.

escaped = “%” hex hex
hex = digit | “A” | “B” | “C” | “D” | “E” | “F”

This makes it possible to express certain characters and strings unambiguosly, but it requires the server to decode the information provided in a URI. Thus, if an HTTP server is provided a reference to a filename encoded as follows:

A%20Filename%20With%20Spaces
It will decode each occurence of %20 to a space, and then it will try to find a file named

A Filename With Spaces
This is a fundamental feature of HTTP servers, and is not specific to IIS in any way.

Any octet can be encoded in this way, including “normal” characters like “.” (dot). Thus an intruder could attempt to access files outside of the web folders by encoding relative path references in this scheme. IIS includes checks for “illegal” URIs even after they have been decoded.

However, IIS decodes filenames** twice**. After the first decoding, IIS applies security checks to see if access to the specified file is permitted. The second decoding, which is superfluous, may result in a reference to a file outside the web folders, and after the security checks (on the results of the first decoding) have been applied.

For more information, see Microsoft Security Bulletin MS01-026.

Impact

Remote users can execute arbitrary commands with the privileges of the IUSR__machinename_ account.

---

Solution

Update your version of IIS according to the instructions in http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787 (for IIS 4.0) and <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764&gt; (for IIS 5.0).

---

Vendor Information

789543

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft __ Affected

Updated: May 15, 2001

Status

Affected

Vendor Statement

See <http://www.microsoft.com/technet/security/bulletin/MS01-026.asp&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This vulnerability has characteristics very similar to VU#111677, which has been widely exploited. We very strongly encourage IIS administrators to update as quickly as possible.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23789543 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/bulletin/MS01-026.asp&gt;
• <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787&gt;
• <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764&gt;
• <http://www.nsfocus.com/english/homepage/sa01-02.htm&gt;
• <http://www.microsoft.com/technet/security/mbrsrvcl.asp&gt;
• <http://www.microsoft.com/technet/security/iis5chk.asp&gt;
• <http://www.microsoft.com/technet/security/iischk.asp&gt;
• <http://www.securityfocus.com/bid/2708&gt;

Acknowledgements

Our thanks to NSfocus who originally discovered this problem. Their original advisory can be found at http://www.nsfocus.com/english/homepage/sa01-02.htm.

This document was written by Shawn V. Hernan.

Other Information

CVE IDs:	CVE-2001-0333
Severity Metric:	79.31 Date Public: