Vulnerabilities > CVE-2001-0506 - Buffer Overrun Privelege Elevation vulnerability in Microsoft products

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
nessus
exploit available
NVD
Published: 2001-09-20
Updated: 2018-10-30

Summary

Buffer overflow in ssinc.dll in IIS 5.0 and 4.0 allows local users to gain system privileges via a Server-Side Includes (SSI) directive for a long filename, which triggers the overflow when the directory name is added, aka the "SSI privilege elevation" vulnerability.

Vulnerable Configurations

Part Description Count
Application
Microsoft
2

Exploit-Db

descriptionMicrosoft IIS 4/5 SSI Buffer Overrun Privelege Elevation. CVE-2001-0506 . Local exploit for windows platform
idEDB-ID:21071
last seen2016-02-02
modified2001-08-15
published2001-08-15
reporterIndigo
sourcehttps://www.exploit-db.com/download/21071/
titleMicrosoft IIS 4/5 - SSI Buffer Overrun Privelege Elevation

Nessus

NASL familyWeb Servers
NASL idIIS_ISAPI_OVERFLOW.NASL
descriptionThere
last seen2020-06-01
modified2020-06-02
plugin id10685
published2001-06-19
reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10685
titleMicrosoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)
code
#
# (C) Tenable Network Security, Inc.
#

# This script was written by Renaud Deraison <[email protected]>
# It was modified by H D Moore to not crash the server during the test
#
# Supercedes MS01-033


include("compat.inc");

if(description)
{
 script_id(10685);
 script_version ("1.51");
 script_cve_id( "CVE-2001-0544", "CVE-2001-0545", "CVE-2001-0506", "CVE-2001-0507", "CVE-2001-0508", "CVE-2001-0500");
 script_bugtraq_id(2690, 2880, 3190, 3193, 3194, 3195);
 script_xref(name:"MSFT", value:"MS01-033");
 script_xref(name:"MSFT", value:"MS01-044");
 script_xref(name:"MSKB", value:"294774");
 script_xref(name:"MSKB", value:"297860");
 script_xref(name:"MSKB", value:"298340");
 script_xref(name:"MSKB", value:"300972");
 script_xref(name:"MSKB", value:"301625");
 script_xref(name:"MSKB", value:"304867");
 script_xref(name:"MSKB", value:"305359");

 script_name(english:"Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"There's a buffer overflow in the remote web server through
the ISAPI filter.
 
It is possible to overflow the remote web server and execute 
commands as user SYSTEM.

Additionally, other vulnerabilities exist in the remote web
server since it has not been patched." );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-033" );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044" );
 script_set_attribute(attribute:"solution", value:
"Apply the patches from the bulletins above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"plugin_publication_date", value: "2001/06/19");
 script_set_attribute(attribute:"patch_publication_date", value: "2001/06/18");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/05/06");
 script_cvs_date("Date: 2018/11/15 20:50:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
script_end_attributes();


 script_summary(english:"Tests for a remote buffer overflow in IIS");
 script_category(ACT_ATTACK);
 script_family(english:"Web Servers");
 script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
 script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

# The attack starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
b = get_http_banner(port: port);
if ("IIS" >!< h ) exit(0);
   
     
w = http_send_recv3(method: "GET", port: port,
  item: "/x.ida?"+crap(length:220, data:"x")+"=x");
if (isnull(w)) exit(1, "the web server did not answer");
r = strcat(w[0], w[1], '\r\n', w[2]);

    # 0xc0000005 == "Access Violation"
    if ("0xc0000005" >< r)
    {
        security_hole(port);
    }

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/25189/sa2001_06.txt
idPACKETSTORM:25189
last seen2016-12-05
published2001-08-19
reporternsfocus.com
sourcehttps://packetstormsecurity.com/files/25189/sa2001_06.txt.html
titlesa2001_06.txt

References