GEN:SID | 1:983 |
Message | WEB-IIS unicode directory traversal attempt |
Summary | This event is generated when an attempt is made use a unicode encoded representaion of a "\" in a URL request. This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server.
|
Impact | Remote access. This attack can allow an attacker to execute commands a vulnerable IIS server.
|
Detailed Information | User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server. Attackers who attempt to perform directory traversals outside the web root should be denied access. A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used. This particular attack uses the unicode encoding of the "\" to escape the web root. This may permit an attacker to execute commands on the vulnerable server.
|
Affected Systems | IIS 4.0, 5.0 servers
|
Attack Scenarios | An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server.
|
Ease of Attack | Simple. GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
|
Corrective Action | Apply the patch referenced in the Microsoft link. |
Additional References | CVE http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084
Microsoft http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
|
Rule References | bugtraq: 1806
cve: 2000-0884
nessus: 10537
|