|
|
|
|
| |
| NSFOCUS has discovered a security flaw in the Far East editions of Microsoft IIS 4.0/5.0. The vulnerability occurs when IIS responds to an HTTP request containing incomplete double-byte characters (DBCS). The vulnerability leads to exposure of files under Web directory to a remote attacker. |
| |
Credit:
The information has been provided by Nsfocus Security Team.
|
| |
Vulnerable systems:
- Microsoft IIS 4.0 for Far East editions ( < SP6 )
- Microsoft IIS 5.0 for Far East editions (Chinese (Traditional and Simplified), Japanese, and Korean (Hangeul))
Immune systems:
- Microsoft IIS 4.0 for Far East editions (SP6/SP6a)
- Microsoft IIS 4.0/5.0 non Far East editions
Microsoft IIS for Far East editions include Chinese (Traditional and Simplified), Japanese, and Korean (Hangeul), all support the use of double-byte character set (DBCS) in HTTP requests. When IIS receives an HTTP request with non-ASCII character in the file name, it will check if it is a lead-byte (Lead-byte ranges: 0x81 - 0x9F, 0xE0 - 0xFC). If it is, then IIS go on checking for a trail-byte, and if a trail-byte is not available, IIS will simply drop the lead-byte. All this will result in an opening of a different file.
Submitting a malformed URL an attacker can cause IIS to call ISAPI DLL, causing it to open some kinds of file that it cannot interpret. This allows an attacker to obtain the content of file in plain text (.asp, .ini, .asa etc.) or binary system file (.exe) under Web or virtual directory.
This problem has been solved in IIS 4.0 with SP6 before it comes forth again in IIS 5.0.
Other IIS 4.0/5.0 including English versions are unaffected.
Workaround:
1) Remove unnecessary ISAPI mapping like HTR, HTW, IDQ etc.
2) Turn on "Check that file exists" option in ISAPI that you are using (and that is available).
3) If you are using the vulnerable IIS 4.0 (prior SP6), upgrade to IIS SP6.
|
|
|
|
|
|
|
