NSFOCUS Security Advisory (SA2000-08) - Microsoft IIS for Far East Editions File Disclosure Vulnerability. Submitting a malformed URL with a non-ascii character, a different file can be opened and the contents read. Vulnerable versions include IIS 4.0 (Far East Edition) previous to SP6 and IIS 5.0 (Far East Edition). English versions are unaffected. Exploit will be released soon.
18ac62855ee1f46fc88efa8ccb402ebb65f449eb0664a5ce46786c49c83d7b5bNSFOCUS Security Advisory(SA2000-08)
Topic: Microsoft IIS for Far East Editions File Disclosure Vulnerability
Release Date£ºDec 13rd, 2000
CVE Candidate Numbers: CAN-2000-1090
Affected system:
==================
- Microsoft IIS 4.0 for Far East editions ( < SP6 )
- Microsoft IIS 5.0 for Far East editions (Chinese (Traditional and
Simplified), Japanese, and Korean (Hangeul))
Non-affected system:
==================
- Microsoft IIS 4.0 for Far East editions( SP6/SP6a )
- Microsoft IIS 5.0/4.0 other editions
Impact:
=========
NSFOCUS security team has found a security flaw in Microsoft IIS 4.0/5.0
(Far East editions) when responding to a HTTP request containing incomplete
double-byte characters(DBCS). It could lead to exposure of files under Web
directory to a remote attacker.
Description£º
============
Microsoft IIS for Far East editions include Chinese (Traditional and
Simplified), Japanese, and Korean (Hangeul), all of which use
double-byte character set(DBCS). When IIS receives a HTTP request
with non-ASCII character in the file name, it will check if it is a
lead-byte(Lead-byte ranges: 0x81 - 0x9F, 0xE0 - 0xFC). If it is, then
IIS go on checking for a trail-byte. And if a trail-byte is not available,
IIS will simply drop the lead-byte. All this will result in an opening of
a different file.
Submitting a malformed URL, attacker can entrap IIS to call some certain
ISAPI DLL, open some kinds of file that it can not interpret. attacker
may obtain the content of file like plain text file(.asp, .ini, .asa
etc.)or binary system file(.exe) under Web or virtual directory.
This problem has been solved in IIS 4.0 with SP6 before it comes forth
again in IIS 5.0.
Other IIS 4.0/5.0 including English versions are unaffected.
Exploit:
==========
[Proof of concept code will be available soon]
Workaround:
===================
1¡¢Remove unnecessary ISAPI mapping like HTR, HTW,IDQ etc.
2¡¢Turn on "Check that file exists" option in every necessary
ISAPI mapping.
3¡¢If you are using vulnerable IIS 4.0 with prior SP6, update to SP6.
Vendor Status:
==============
Microsoft has been informed on Oct 8, 2000.
Additional Information:
========================
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2000-1090 to this issue. This is a
candidate for inclusion in the CVE list (https://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.
DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY
KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR
THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS
PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.
?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(https://www.nsfocus.com)
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed