MS00-019: Microsoft IIS ISAPI Virtual Directory UNC Mapping ASP Source Disclosure (uncredentialed check)
2003-03-23T00:00:00
ID IIS_UNC_MAPPED_VIRT_HOST_VULN.NASL Type nessus Reporter (C) 2003-2020 tony@libpcap.net Modified 2003-03-23T00:00:00
Description
It is possible to get the source code of the remote ASP scripts which
are hosted on a mapped network share by appending '%5c' to the end of
the request. ASP source code usually contains sensitive information
such as logins and passwords.
#
# tony@libpcap.net
# http://libpcap.net
#
# See the Nessus Scripts License for details
include("compat.inc");
if(description) {
script_id(11443);
script_version("1.29");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_cve_id("CVE-2000-0246");
script_bugtraq_id(1081);
script_xref(name:"MSFT", value:"MS00-019");
script_xref(name:"MSKB", value:"249599");
script_name(english:"MS00-019: Microsoft IIS ISAPI Virtual Directory UNC Mapping ASP Source Disclosure (uncredentialed check)");
script_summary(english:"Checks IIS for .ASP/.HTR backslash vulnerability.");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an information disclosure flaw.");
script_set_attribute(attribute:"description", value:
"It is possible to get the source code of the remote ASP scripts which
are hosted on a mapped network share by appending '%5c' to the end of
the request. ASP source code usually contains sensitive information
such as logins and passwords.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-019");
script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for IIS 4.0 and 5.0.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2000/03/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
script_end_attributes();
script_copyright(english:"(C) 2003-2020 tony@libpcap.net");
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_require_ports("Services/www", 80);
script_dependencies("http_version.nasl", "www_fingerprinting_hmap.nasl", "translate_f.nasl");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80, embedded:TRUE);
hf = get_kb_item("Services/www/ms00-058-missing");
if( hf == "installed" ) exit(0);
if ( hf == "missing" )
{
security_warning(port);
exit(0);
}
if ( ! can_host_asp(port:port) ) exit(0);
if(get_port_state(port)) {
# common ASP files
f[0] = "/index.asp%5C";
f[1] = "/default.asp%5C";
f[2] = "/login.asp%5C";
files = get_kb_list(string("www/", port, "/content/extensions/asp"));
if(!isnull(files)){
files = make_list(files);
f[3] = files[0] + "%5C";
}
for(i = 0; f[i]; i = i + 1) {
req = http_get(item:f[i], port:port);
h = http_keepalive_send_recv(port:port, data:req);
if( h == NULL ) exit(0);
if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 .*", string:h) &&
"Content-Type: application/octet-stream" >< r) {
security_warning(port);
exit(0);
}
}
}
{"id": "IIS_UNC_MAPPED_VIRT_HOST_VULN.NASL", "bulletinFamily": "scanner", "title": "MS00-019: Microsoft IIS ISAPI Virtual Directory UNC Mapping ASP Source Disclosure (uncredentialed check)", "description": "It is possible to get the source code of the remote ASP scripts which\nare hosted on a mapped network share by appending '%5c' to the end of\nthe request. ASP source code usually contains sensitive information\nsuch as logins and passwords.", "published": "2003-03-23T00:00:00", "modified": "2003-03-23T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/11443", "reporter": "(C) 2003-2020 tony@libpcap.net", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-019"], "cvelist": ["CVE-2000-0246"], "type": "nessus", "lastseen": "2020-09-14T15:39:58", "edition": 21, "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2000-0246"]}, {"type": "osvdb", "idList": ["OSVDB:7807"]}, {"type": "openvas", "idList": ["OPENVAS:11443", "OPENVAS:136141256231011443"]}, {"type": "exploitdb", "idList": ["EDB-ID:19824"]}], "modified": "2020-09-14T15:39:58", "rev": 2}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-09-14T15:39:58", "rev": 2}, "vulnersScore": 5.0}, "sourceData": "#\n# tony@libpcap.net\n# http://libpcap.net\n#\n# See the Nessus Scripts License for details\n\n\ninclude(\"compat.inc\");\n\nif(description) {\n script_id(11443);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-2000-0246\");\n script_bugtraq_id(1081);\n script_xref(name:\"MSFT\", value:\"MS00-019\");\n script_xref(name:\"MSKB\", value:\"249599\");\n\n script_name(english:\"MS00-019: Microsoft IIS ISAPI Virtual Directory UNC Mapping ASP Source Disclosure (uncredentialed check)\");\n script_summary(english:\"Checks IIS for .ASP/.HTR backslash vulnerability.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by an information disclosure flaw.\");\n script_set_attribute(attribute:\"description\", value:\n\"It is possible to get the source code of the remote ASP scripts which\nare hosted on a mapped network share by appending '%5c' to the end of\nthe request. ASP source code usually contains sensitive information\nsuch as logins and passwords.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-019\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_end_attributes();\n\n script_copyright(english:\"(C) 2003-2020 tony@libpcap.net\");\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_require_ports(\"Services/www\", 80);\n script_dependencies(\"http_version.nasl\", \"www_fingerprinting_hmap.nasl\", \"translate_f.nasl\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\n\nport = get_http_port(default:80, embedded:TRUE);\nhf = get_kb_item(\"Services/www/ms00-058-missing\");\nif( hf == \"installed\" ) exit(0);\n\nif ( hf == \"missing\" )\n\t{\n\t security_warning(port);\n\t exit(0);\n\t}\n\nif ( ! can_host_asp(port:port) ) exit(0);\n\nif(get_port_state(port)) {\n # common ASP files\n f[0] = \"/index.asp%5C\";\n f[1] = \"/default.asp%5C\";\n f[2] = \"/login.asp%5C\";\n\n files = get_kb_list(string(\"www/\", port, \"/content/extensions/asp\"));\n if(!isnull(files)){\n \tfiles = make_list(files);\n\tf[3] = files[0] + \"%5C\";\n\t}\n\n for(i = 0; f[i]; i = i + 1) {\n req = http_get(item:f[i], port:port);\n h = http_keepalive_send_recv(port:port, data:req);\n if( h == NULL ) exit(0);\n\n if(ereg(pattern:\"^HTTP/[0-9]\\.[0-9] 200 .*\", string:h) &&\n \"Content-Type: application/octet-stream\" >< r) {\n security_warning(port);\n exit(0);\n }\n }\n}\n", "naslFamily": "Web Servers", "pluginID": "11443", "cpe": ["cpe:/a:microsoft:iis"], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:36:56", "description": "IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the \"Virtualized UNC Share\" vulnerability.", "edition": 3, "cvss3": {}, "published": "2000-03-30T05:00:00", "title": "CVE-2000-0246", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2000-0246"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:microsoft:internet_information_server:4.0", "cpe:/a:microsoft:site_server_commerce:3.0", "cpe:/a:microsoft:commercial_internet_system:2.5", "cpe:/a:microsoft:site_server:3.0", "cpe:/a:microsoft:internet_information_services:5.0", "cpe:/a:microsoft:commercial_internet_system:2.0", "cpe:/a:microsoft:proxy_server:2.0"], "id": "CVE-2000-0246", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0246", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:proxy_server:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:commercial_internet_system:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:commercial_internet_system:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:site_server_commerce:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:site_server:3.0:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "cvelist": ["CVE-2000-0246"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nMicrosoft Security Bulletin: MS00-019\nMicrosoft Knowledge Base Article: 249599\nISS X-Force ID: 4204\n[CVE-2000-0246](https://vulners.com/cve/CVE-2000-0246)\nBugtraq ID: 1081\n", "modified": "2000-03-30T00:00:00", "published": "2000-03-30T00:00:00", "id": "OSVDB:7807", "href": "https://vulners.com/osvdb/OSVDB:7807", "title": "Microsoft IIS ISAPI Virtual Directory UNC Mapping ASP Source Disclosure", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-02T12:49:30", "description": "MS Commercial Internet System 2.0/2.5,IIS 4.0,Proxy Server 2.0,Site Server Commerce Edition 3.0 UNC Mapped Virtual Host Vulnerability. CVE-2000-0246. Remote ...", "published": "2000-03-30T00:00:00", "type": "exploitdb", "title": "Microsoft IIS 4.0 UNC Mapped Virtual Host Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0246"], "modified": "2000-03-30T00:00:00", "id": "EDB-ID:19824", "href": "https://www.exploit-db.com/exploits/19824/", "sourceData": "MS Commercial Internet System 2.0/2.5,IIS 4.0,Proxy Server 2.0,Site Server Commerce Edition 3.0 UNC Mapped Virtual Host Vulnerability\r\n\r\nsource: http://www.securityfocus.com/bid/1081/info\r\n\r\nIf a virtual host root is mapped to a UNC share, a backward slash \"\\\" appended to an ASP or HTR extension in a URL request to that virtual host will cause Microsoft Internet Information Server to transmit full source code of the file back to a remote user. Files located on the local drive where IIS is installed is not affected by this vulnerability. \r\n\r\nhttp://target/file.asp\\ ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/19824/"}], "openvas": [{"lastseen": "2020-05-08T16:40:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2000-0246"], "description": "Your IIS webserver allows the retrieval of ASP/HTR source code.", "modified": "2020-05-06T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011443", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011443", "type": "openvas", "title": "Microsoft IIS UNC Mapped Virtual Host Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft IIS UNC Mapped Virtual Host Vulnerability\n#\n# Authors:\n# tony@libpcap.net, http://libpcap.net\n#\n# Copyright:\n# Copyright (C) 2001 tony@libpcap.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11443\");\n script_version(\"2020-05-06T07:56:48+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 07:56:48 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(1081);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2000-0246\");\n script_name(\"Microsoft IIS UNC Mapped Virtual Host Vulnerability\");\n script_copyright(\"Copyright (C) 2001 tony@libpcap.net\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web Servers\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"summary\", value:\"Your IIS webserver allows the retrieval of ASP/HTR source code.\");\n\n script_tag(name:\"impact\", value:\"An attacker can use this vulnerability to see how your\n pages interact and find holes in them to exploit.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the\n disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to\n upgrade to a newer release, disable respective features, remove the product or replace the product by\n another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\nif ( ! http_can_host_asp( port:port ) ) exit( 0 );\nhost = http_host_name( dont_add_port:TRUE );\n\n# common ASP files\ncheck_files = make_list( \"/index.asp%5C\", \"/default.asp%5C\", \"/login.asp%5C\" );\n\nfiles = http_get_kb_file_extensions( port:port, host:host, ext:\"asp\" );\nif( ! isnull( files ) ) {\n files = make_list( files );\n check_files = make_list( check_files, files[0] + \"%5C\" );\n}\n\nforeach check_file( check_files ) {\n\n req = http_get( item:check_file, port:port );\n res = http_keepalive_send_recv( port:port, data:req );\n if( isnull( res ) ) exit( 0 );\n\n if( ereg( pattern:\"^HTTP/1\\.[01] 200\", string:res ) &&\n \"Content-Type: application/octet-stream\" >< res ) {\n report = http_report_vuln_url( port:port, url:check_file );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-02T21:10:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2000-0246"], "description": "Your IIS webserver allows the retrieval of ASP/HTR source code.\n\nAn attacker can use this vulnerability to see how your\npages interact and find holes in them to exploit.", "modified": "2017-04-28T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:11443", "href": "http://plugins.openvas.org/nasl.php?oid=11443", "type": "openvas", "title": "Microsoft IIS UNC Mapped Virtual Host Vulnerability", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: iis_unc_mapped_virt_host_vuln.nasl 6046 2017-04-28 09:02:54Z teissa $\n# Description: Microsoft IIS UNC Mapped Virtual Host Vulnerability\n#\n# Authors:\n# tony@libpcap.net, http://libpcap.net\n#\n# Copyright:\n# Copyright (C) 2001 tony@libpcap.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"Your IIS webserver allows the retrieval of ASP/HTR source code.\n\nAn attacker can use this vulnerability to see how your\npages interact and find holes in them to exploit.\";\n\nif(description) {\n script_id(11443);\n script_version(\"$Revision: 6046 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-28 11:02:54 +0200 (Fri, 28 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(1081);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2000-0246\");\n\n name = \"Microsoft IIS UNC Mapped Virtual Host Vulnerability\";\n script_name(name);\n\n\n summary = \"Checks IIS for .ASP/.HTR backslash vulnerability.\";\n script_copyright(\"Copyright (C) 2001 tony@libpcap.net\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n family = \"Web Servers\";\n script_family(family);\n\n script_require_ports(\"Services/www\", 80);\n script_dependencies(\"http_version.nasl\");\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\nif ( ! can_host_asp(port:port) ) exit(0);\n\nif(get_port_state(port)) {\n # common ASP files\n f[0] = \"/index.asp%5C\";\n f[1] = \"/default.asp%5C\";\n f[2] = \"/login.asp%5C\";\n \n files = get_kb_list(string(\"www/\", port, \"/content/extensions/asp\"));\n if(!isnull(files)){\n \tfiles = make_list(files);\n\tf[3] = files[0] + \"%5C\";\n\t}\n\n for(i = 0; f[i]; i = i + 1) {\n req = http_get(item:f[i], port:port);\n h = http_keepalive_send_recv(port:port, data:req);\n if( h == NULL ) exit(0);\n \n if(ereg(pattern:\"^HTTP/[0-9]\\.[0-9] 200 .*\", string:h) &&\n \"Content-Type: application/octet-stream\" >< r) {\n security_message(port);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
