NSFOCUS Security Advisory(SA2000-07)
Topic: Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability
Release DateЈє Nov 7th, 2000
CVE Candidate Numbers: CAN-2000-0886
BUGTRAQ ID : 1912
NSFOCUS security team has found a security flaw in Microsoft IIS 4.0/
5.0 when handling a CGI file name. Exploitation of it, attacker can
read system file and run arbitrary system command.
In CGI application (.exe, .pl, .php etc.) handling, Microsoft IIS 4.0/
5.0 do not present an integrated security inspection of CGI file name,
which may cause IIS to mistakenly open or run a file if a special
character is contained in the file name.
If fulfilling these terms:
(1) Target file exists
(2) Target file is a batch file
(3) Target file is a plain text file longer than zero byte
IIS will automatically call "cmd.exe" to interpret it. Other part of
file name requested is pass to "cmd.exe" as parameters of the batch
file. Thus, an attacker can run arbitrary command by inserting some
characters like "&".
[Proof of concept code will be available soon]
Always remove unnecessary batch files, and keep necessary batch
files in a different driver of any executable virtual directory.
Microsoft has been informed on Oct 20th, 2000.
Microsoft has released one security bulletin concerning this flaw on
Nov 6th, 2000.
The bulletin is live at :
http://www.microsoft.com/technet/security/bulletin/MS00-086.asp
Patches are available at:
. Microsoft IIS 5.0:
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2000-0886 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY
KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR
THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS
PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.
?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <[email protected]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)