19 lines
No EOL
1.3 KiB
Text
19 lines
No EOL
1.3 KiB
Text
source: https://www.securityfocus.com/bid/2708/info
|
|
|
|
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
|
|
|
|
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
|
|
|
|
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
|
|
|
|
2. When the security check is completed, IIS decodes CGI parameters.
|
|
|
|
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
|
|
|
|
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
|
|
|
|
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
|
|
|
|
The worm Nimda(and variants) actively exploit this vulnerability.
|
|
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20841.zip |