There’s a buffer overflow in the remote web server through the ISAPI filter.
It is possible to overflow the remote web server and execute commands as user SYSTEM.
Additionally, other vulnerabilities exist in the remote web server since it has not been patched.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# This script was written by Renaud Deraison <[email protected]>
# It was modified by H D Moore to not crash the server during the test
#
# Supercedes MS01-033
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(10685);
script_version("1.52");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id(
"CVE-2001-0500",
"CVE-2001-0506",
"CVE-2001-0507",
"CVE-2001-0508",
"CVE-2001-0544",
"CVE-2001-0545"
);
script_bugtraq_id(
2690,
2880,
3190,
3193,
3194,
3195
);
script_xref(name:"MSFT", value:"MS01-033");
script_xref(name:"MSFT", value:"MS01-044");
script_xref(name:"MSKB", value:"294774");
script_xref(name:"MSKB", value:"297860");
script_xref(name:"MSKB", value:"298340");
script_xref(name:"MSKB", value:"300972");
script_xref(name:"MSKB", value:"301625");
script_xref(name:"MSKB", value:"304867");
script_xref(name:"MSKB", value:"305359");
script_name(english:"Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"There's a buffer overflow in the remote web server through
the ISAPI filter.
It is possible to overflow the remote web server and execute
commands as user SYSTEM.
Additionally, other vulnerabilities exist in the remote web
server since it has not been patched.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-033");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044");
script_set_attribute(attribute:"solution", value:
"Apply the patches from the bulletins above.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2001/05/06");
script_set_attribute(attribute:"patch_publication_date", value:"2001/06/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2001/06/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2001-2022 Tenable Network Security, Inc.");
script_dependencies("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
# The attack starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
b = get_http_banner(port: port);
if ("IIS" >!< h ) exit(0);
w = http_send_recv3(method: "GET", port: port,
item: "/x.ida?"+crap(length:220, data:"x")+"=x");
if (isnull(w)) exit(1, "the web server did not answer");
r = strcat(w[0], w[1], '\r\n', w[2]);
# 0xc0000005 == "Access Violation"
if ("0xc0000005" >< r)
{
security_hole(port);
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0500
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0506
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0507
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0508
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0544
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0545
docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-033
docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044