[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Microsoft IIS for Far East Editions File Disclosure Vulnerability

Title: Microsoft IIS for Far East Editions File Disclosure Vulnerability
Released by: Nsfocus
Date: 13th December 2000
Printable version: Click here
NSFOCUS Security Advisory(SA2000-08)



Topic: Microsoft IIS for Far East Editions File Disclosure Vulnerability



Release Date£ºDec 13rd, 2000



CVE Candidate Numbers: CAN-2000-1090



Affected system:

==================



 - Microsoft IIS 4.0 for Far East editions ( < SP6 )

 - Microsoft IIS 5.0 for Far East editions (Chinese (Traditional and

                     Simplified), Japanese, and Korean (Hangeul))

Non-affected system:

==================



 - Microsoft IIS 4.0 for Far East editions( SP6/SP6a )

 - Microsoft IIS 5.0/4.0 other editions



Impact:

=========





NSFOCUS security team has found a security flaw in Microsoft IIS 4.0/5.0

(Far East editions) when responding to a HTTP request containing incomplete

double-byte characters(DBCS). It could lead to exposure of files under Web

directory to a remote attacker.



Description£º

============



Microsoft IIS for Far East editions include Chinese (Traditional and

Simplified), Japanese, and Korean (Hangeul), all of which use

double-byte character set(DBCS). When IIS receives a HTTP request

with non-ASCII character in the file name, it will check if  it is a

lead-byte(Lead-byte ranges: 0x81 - 0x9F, 0xE0 - 0xFC). If it is, then

IIS go on checking for a trail-byte. And if a trail-byte is not available,

IIS will simply drop the lead-byte. All this will result in an opening of

a different file.



Submitting a malformed URL, attacker can entrap IIS to call some certain

ISAPI DLL, open some kinds of file that it can not interpret. attacker

may obtain the content of file like plain text file(.asp, .ini, .asa

etc.)or binary system file(.exe) under Web or virtual directory.



This problem has been solved in IIS 4.0 with SP6 before it comes forth

again in IIS 5.0.



Other IIS 4.0/5.0 including English versions are unaffected.





Exploit:

==========



[Proof of concept code will be available soon]



Workaround:

===================



1¡¢Remove unnecessary ISAPI mapping like HTR, HTW,IDQ etc.



2¡¢Turn on "Check that file exists" option in every necessary

   ISAPI mapping.



3¡¢If you are using vulnerable IIS 4.0 with prior SP6, update to SP6.



Vendor Status:

==============



Microsoft has been informed on Oct 8, 2000.



Additional Information:

========================



The Common Vulnerabilities and Exposures (CVE) project has

assigned the name CAN-2000-1090 to this issue. This is a

candidate for inclusion in the CVE list (http://cve.mitre.org),

which standardizes names for security problems.  Candidates

may change significantly before they become official CVE entries.



DISCLAIMS:

==========

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY

KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR

THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY

DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF

BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS

PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.



?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.





NSFOCUS Security Team 

NSFOCUS INFORMATION TECHNOLOGY CO.,LTD

(http://www.nsfocus.com)








(C) 1999-2000 All rights reserved.