A vulnerability exists in Microsoft IIS 4 and 5 such that an attacker visiting an IIS web site can execute arbitrary code with the privileges of the IUSR_machinename account. This vulnerability is referred to as the "Web Server Folder Directory Traversal" vulnerability. This vulnerability has characteristics similar to vulnerabilities that have been widely exploited in the past. Unless remedial action is taken, we believe it is likely that systems with this vulnerability will be compromised.
IIS 4 and 5 provide the ability for web administrators to place executable files and scripts on the web server for execution on the server by visitors to the site. The executability and scriptability of files on the server can be controlled on a directory-by-directory basis. Additionally, by design, IIS restricts access to files on the server to only those files in the web folder(s). This includes attempts to access files through a relative reference such as
Remote users can execute arbitrary commands with the privileges of the IUSR_machinename account.
Apply the patch described in MS01-044. This patch is a cumulative patch that covers a variety of security problems discovered prior to August 15, 2001. Alternately, you can install a patch from Microsoft as described in MS00-078, though that addresses only this specific vulnerability. The patch was first announced in MS00-057.
As a general practice, and to mitigate against this vulnerability if you are unable to install a patch, use NTFS file permissions to restrict IIS so that it can only access files contained in the web server. Additionally, because relative references to files cannot cross volume boundaries, you may wish to configure IIS such that the web folder is on a separate volume. That is, keep the web data on the D: drive and everything else on the C: drive. However, note that this provides only very limited protection and can be circumvented by an intruder.
This document was written by Shawn Hernan. Our understanding of this problem was aided by the work of Rain Forest Puppy.
|Date First Published:||2000-11-20|
|Date Last Updated:||2001-09-18 18:24 UTC|