Microsoft IIS CGI文件名错误解码漏洞(MS01-026)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106348 漏洞类型 设计错误
发布时间 2001-05-15 更新时间 2007-01-29
CVE编号 CVE-2001-0333 CNNVD-ID CNNVD-200106-190
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20842
https://www.securityfocus.com/bid/2708
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200106-190
|漏洞详情
IIS是微软出品的一个广泛应用的InternetWeb服务器软件,随WindowsNT和Windows2000捆绑发售。默认情况下IIS的某些目录是允许通过提交HTTP请求执行可执行文件的。NSFOCUS安全小组发现微软IIS4.0/5.0在处理CGI程序文件名时存在一个安全漏洞,由于错误地对文件名进行了两次解码,远程攻击者可能利用此漏洞以Web进程的权限在主机上执行任意系统命令。IIS在加载可执行CGI程序时,会进行两次解码。第一次解码是对CGI文件名进行http解码,然后判断此文件名是否为可执行文件,例如检查后缀名是否为".exe"或".com"等等。在文件名检查通过之后,IIS会再进行第二次解码。正常情况下,应该只对该CGI的参数进行解码,然而,IIS错误地将已经解码过的CGI文件名和CGI参数一起进行解码。这样,CGI文件名就被错误地解码了两次。通过精心构造CGI文件名,攻击者可以绕过IIS对文件名所作的安全检查,例如对"../"或"./"的检查,在某些条件下,攻击者可以执行任意系统命令。例如,对于'\'这个字符,正常编码后是%5c。这三个字符对应的编码为:'%'=%25'5'=%35'c'=%63如果要对这三个字符再做一次编码,就可以有多种形式,例如:%255c%%35c%%35%63%25%35%63...因此,"..\"就可以表示成"..%255c"或"..%%35c"等等形式。在经过第一次解码之后,变成"..%5c"。IIS会认为这是一个正常的字符串,不会违反安全规则检查。而在第二次被解码之后,就会变成"..\"。因此攻击者就可以使用"..\"来进行目录遍历,执行Web目录之外的任意程序。
|漏洞EXP
source: http://www.securityfocus.com/bid/2708/info
       
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
       
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
       
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
       
2. When the security check is completed, IIS decodes CGI parameters.
       
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
       
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
       
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
       
The worm Nimda(and variants) actively exploit this vulnerability.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/20842.tgz
|受影响的产品
Microsoft Windows NT 4.0 SP6a + Microsoft Windows NT Enterprise Server 4.0 SP6a + Microsoft Windows NT Enterprise Server 4.0 SP6a
|参考资料

来源:CERT/CCAdvisory:CA-2001-12
名称:CA-2001-12
链接:http://www.cert.org/advisories/CA-2001-12.html
来源:MS
名称:MS01-026
链接:http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
来源:BUGTRAQ
名称:20010515NSFOCUSSA2001-02:MicrosoftIISCGIFilenameDecodeErrorVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98992056521300&w=2
来源:XF
名称:iis-url-decoding(6534)
链接:http://xforce.iss.net/static/6534.php
来源:BID
名称:2708
链接:http://www.securityfocus.com/bid/2708
来源:USGovernmentResource:oval:org.mitre.oval:def:78
名称:oval:org.mitre.oval:def:78
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:78
来源:USGovernmentResource:oval:org.mitre.oval:def:37
名称:oval:org.mitre.oval:def:37
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:37
来源:USGovernmentResource:oval:org.mitre.oval:def:1051
名称:oval:org.mitre.oval:def:1051
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1051
来源:USGovernmentResource:oval:org.mitre.oval:def:1018
名称:o