ISS Alert: IIS URL Decoding Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2001-05-16T00:00:00


TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to Contact for help with any problems!


Internet Security Systems Security Alert May 15, 2001

IIS URL Decoding Vulnerability


A flaw exists in Microsoft Internet Information Server (IIS) that may allow remote attackers to view directory structures, view and delete files, execute arbitrary commands, and deny service to the server. It is possible for attackers to craft URLs that take advantage of a flaw in IIS URL decoding routines. Security mechanisms within these routines can be bypassed. All recent versions of IIS are affected by this vulnerability.


This vulnerability is very similar to the IIS Unicode Translation Vulnerability described at As with the Unicode vulnerability, this is a variation of the common "dot dot" directory traversal attack. Older Web servers were vulnerable to this attack because the ".." directories in URLs allowed attackers to back out of the web root directory. This allowed attackers to navigate the file system or execute commands at will. IIS and most current Web servers have incorporated security measures to prevent the "dot dot" attack. These security measures deny all queries to URLs that contain too many leading slashes or ".." characters. The Unicode vulnerability was a result of improper handling of Unicode encoded ".." and "/" characters. This new vulnerability exploits another flaw in the IIS encoding mechanism that allows a similar result.

When IIS receives a query on a server-side script, it performs a decoding pass on the request. The string is decoded into canonical form and numerous security checks are performed to ensure the request is valid. A second decoding routine is run on the request to parse the parameters after the filename. IIS mistakenly parses the filename again with these additional parameters. This flaw allows specially crafted requests which include ".." and "/" characters to bypass security checks.

All queries are processed under the IUSR_machine context, which is part of the 'Everyone' and 'Users' group. This provides access to the web directory and most non-administrative functions. Attackers may not directly modify or delete files owned by the Administrator, nor run commands with privilege.

By crafting a request after a virtual directory with execute permissions, it is possible for an attacker to execute arbitrary commands. Attackers may then have the ability to manipulate the appearance of the Web site, download sensitive data, or install backdoor software.

This class of IIS vulnerabilities is well known and lends itself to being widely exploited by incorporation into worms and automatic scanning tools.

Affected Versions:

Microsoft IIS 4.0 Microsoft IIS 5.0

Older versions of IIS are not vulnerable.


Please refer to the following Microsoft Bulletins for information on the patches:

Microsoft IIS 4.0: Microsoft IIS 5.0:

ISS RealSecure Intrusion Detection customers may use following user-defined signature to detect exploitation attempts. Follow the instructions below to apply the user-defined signature to your policy.

  • From the Sensor window:
  • Right-click on the sensor and select 'Properties'.
  • Choose a policy you want to use, and click 'Customize'.
  • Select the 'User Defined Events' tab.
  • Click 'Add' on the right hand side of the dialog box.
  • Create a User Defined Event.
  • Type in a name of the event, such as "IIS URL Decoding Vulnerability".
  • In the 'Context' field for the event, select 'URL_Data'. In the 'String' field, type the following string: %5c|%2e|%2f
  • Click 'Save', and then 'Close'.
  • Click 'Apply to Sensor' or 'Apply to Engine', depending on the version of RealSecure you are using.

This signature detects all publicly known versions of this attack. It looks for the strings "%5c", "%2e", or "%2f" in a HTTP GET request. These strings show up in requests that attempt to exploit this vulnerability. RealSecure decodes all of the escaped characters in the request before passing it on to the user-defined signatures.

The ISS X-Force will provide additional functionality to detect this vulnerability in upcoming X-Press Updates for RealSecure and System Scanner.

Additional Information:

Please refer to the Microsoft Security Bulletin on this vulnerability:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0333 to this issue. This is a candidate for inclusion in the CVE list (, which standardizes names for security problems.

About Internet Security Systems (ISS)

Internet Security Systems, Inc. is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail for permission.


The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

X-Force PGP Key available at: as well as on MIT's PGP key server and's key server.

Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv

iQCVAwUBOwF54zRfJiV99eG9AQH92wP+OiuSNiS8RjtzxITB7kCTrzsQbatpFNwQ e/DfDd6m7HKqcyW2XRHKspRdMJpfQYOv2IZ32+Wxnctbir7qO/leeSOtZZmpxrGZ ateXoWFMcdqYN8A3V6MzumK0qxXWQeXnJZysGJiYsWxZfnIpBdopV5KE5ZUBYFRE vJB3buUg5uU= =pj+e -----END PGP SIGNATURE-----