Vulnerabilities > CVE-2001-0507 - Unspecified vulnerability in Microsoft Internet Information Services 5.0

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
nessus
exploit available

Summary

IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Exploit-Db

descriptionMicrosoft IIS 5.0 In-Process Table Privelege Elevation Vulnerability. CVE-2001-0507 . Local exploit for windows platform
idEDB-ID:21072
last seen2016-02-02
modified2001-08-15
published2001-08-15
reporterDigital Offense
sourcehttps://www.exploit-db.com/download/21072/
titleMicrosoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability

Nessus

  • NASL familyWeb Servers
    NASL idIIS_ISAPI_OVERFLOW.NASL
    descriptionThere
    last seen2020-06-01
    modified2020-06-02
    plugin id10685
    published2001-06-19
    reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/10685
    titleMicrosoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # This script was written by Renaud Deraison <[email protected]>
    # It was modified by H D Moore to not crash the server during the test
    #
    # Supercedes MS01-033
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(10685);
     script_version ("1.51");
     script_cve_id( "CVE-2001-0544", "CVE-2001-0545", "CVE-2001-0506", "CVE-2001-0507", "CVE-2001-0508", "CVE-2001-0500");
     script_bugtraq_id(2690, 2880, 3190, 3193, 3194, 3195);
     script_xref(name:"MSFT", value:"MS01-033");
     script_xref(name:"MSFT", value:"MS01-044");
     script_xref(name:"MSKB", value:"294774");
     script_xref(name:"MSKB", value:"297860");
     script_xref(name:"MSKB", value:"298340");
     script_xref(name:"MSKB", value:"300972");
     script_xref(name:"MSKB", value:"301625");
     script_xref(name:"MSKB", value:"304867");
     script_xref(name:"MSKB", value:"305359");
    
     script_name(english:"Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by multiple vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "There's a buffer overflow in the remote web server through
    the ISAPI filter.
     
    It is possible to overflow the remote web server and execute 
    commands as user SYSTEM.
    
    Additionally, other vulnerabilities exist in the remote web
    server since it has not been patched." );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-033" );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044" );
     script_set_attribute(attribute:"solution", value:
    "Apply the patches from the bulletins above." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"exploited_by_malware", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2001/06/19");
     script_set_attribute(attribute:"patch_publication_date", value: "2001/06/18");
     script_set_attribute(attribute:"vuln_publication_date", value: "2001/05/06");
     script_cvs_date("Date: 2018/11/15 20:50:25");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
    script_end_attributes();
    
    
     script_summary(english:"Tests for a remote buffer overflow in IIS");
     script_category(ACT_ATTACK);
     script_family(english:"Web Servers");
     script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
     script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
     script_require_ports("Services/www", 80);
     exit(0);
    }
    
    # The attack starts here
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80);
    b = get_http_banner(port: port);
    if ("IIS" >!< h ) exit(0);
       
         
    w = http_send_recv3(method: "GET", port: port,
      item: "/x.ida?"+crap(length:220, data:"x")+"=x");
    if (isnull(w)) exit(1, "the web server did not answer");
    r = strcat(w[0], w[1], '\r\n', w[2]);
    
        # 0xc0000005 == "Access Violation"
        if ("0xc0000005" >< r)
        {
            security_hole(port);
        }
    
    
  • NASL familyWeb Servers
    NASL idIIS_DECODE_BUG.NASL
    descriptionWhen IIS receives a user request to run a script, it renders the request in a decoded canonical form, and then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server.
    last seen2020-06-01
    modified2020-06-02
    plugin id10671
    published2001-05-15
    reporterThis script is Copyright (C) 2001-2018 Matt Moore / H D Moore
    sourcehttps://www.tenable.com/plugins/nessus/10671
    titleMS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)
    code
    #
    # This script was modified Matt Moore ([email protected])
    # from the NASL script to test for the UNICODE directory traversal
    # vulnerability, originally written by Renaud Deraison.
    #
    # Then Renaud took Matt's script and used H D Moore modifications
    # to iis_dir_traversal.nasl ;)
    #
    
    # Changes by Tenable:
    # - Touched up description (11/04/10)
    # - Add MSKB script_xref (8/29/17)
    
    include("compat.inc");
    
    if (description)
    {
     script_id(10671);
     script_version("1.62");
     script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
     script_cve_id("CVE-2001-0333", "CVE-2001-0507");
     script_bugtraq_id(2708, 3193);
     script_xref(name:"MSFT", value:"MS01-026");
     script_xref(name:"MSFT", value:"MS01-044");
     script_xref(name:"MSKB", value:"288855");
     script_xref(name:"MSKB", value:"293826");
     script_xref(name:"MSKB", value:"294370");
     script_xref(name:"MSKB", value:"294774");
     script_xref(name:"MSKB", value:"295534");
     script_xref(name:"MSKB", value:"297860");
     script_xref(name:"MSKB", value:"298340");
     script_xref(name:"MSKB", value:"301625");
     script_xref(name:"MSKB", value:"304867");
     script_xref(name:"MSKB", value:"305359");
    
     script_name(english:"MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)");
     script_summary(english:"Determines if arbitrary commands can be executed");
    
     script_set_attribute(attribute:"synopsis", value:"Arbitrary commands can be executed on the remote web server.");
     script_set_attribute(attribute:"description", value:
    "When IIS receives a user request to run a script, it renders the
    request in a decoded canonical form, and then performs security checks
    on the decoded request.  A vulnerability results because a second,
    superfluous decoding pass is performed after the initial security checks
    are completed.  Thus, a specially crafted request could allow an
    attacker to execute arbitrary commands on the IIS Server.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-026");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for IIS 4.0 and 5.0.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2001/05/15");
     script_set_attribute(attribute:"patch_publication_date", value:"2001/05/15");
     script_set_attribute(attribute:"plugin_publication_date", value:"2001/05/15");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
     script_end_attributes();
    
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2001-2020 Matt Moore / H D Moore");
     script_family(english:"Web Servers");
     script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
     script_require_ports("Services/www", 80);
     exit(0);
    }
    
    include("global_settings.inc");
    include("http_func.inc");
    include("http_keepalive.inc");
    
    
    port = get_http_port(default:80, embedded:TRUE);
    
    banner = get_http_banner(port:port);
    if ( "IIS" >!< banner ) exit(0);
    
    if ( banner =~ "Microsoft-IIS/[6-9]" ) exit(0);
    
    if(!get_port_state(port))exit(0);
    
    
    dir[0] = "/scripts/";
    dir[1] = "/msadc/";
    dir[2] = "/iisadmpwd/";
    dir[3] = "/_vti_bin/";		# FP
    dir[4] = "/_mem_bin/";		# FP
    dir[5] = "/exchange/";		# OWA
    dir[6] = "/pbserver/";		# Win2K
    dir[7] = "/rpc/";		# Win2K
    dir[8] = "/cgi-bin/";
    dir[9] = "/";
    
    uni[0] = "%255c";  	dots[0] = "..";
    uni[1] = "%%35c";	dots[1] = "..";
    uni[2] = "%%35%63";	dots[2] = "..";
    uni[3] = "%25%35%63";   dots[3] = "..";
    uni[4] = "%252e";	dots[4] = "/.";
    
    
    
    
    function check(req)
    {
     local_var	r, pat, pat2;
     r = http_keepalive_send_recv(port:port, data:http_get(item:req, port:port));
     if(r == NULL)
     {
      exit(0);
     }
    
     pat = "<DIR>";
     pat2 = "Directory of C";
    
     if((pat >< r) || (pat2 >< r)){
       	security_hole(port:port, extra:
    strcat('\n Requesting\n ', build_url(port: port, qs: req), '\n produces :\n\n', r));
    	return(1);
     	}
     return(0);
    }
    
    
    cmd = "/winnt/system32/cmd.exe?/c+dir+c:\\+/OG";
    for(d=0;dir[d];d=d+1)
    {
    	for(i=0;uni[i];i=i+1)
    	{
    		url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], cmd);
    		if(check(req:url))exit(0);
    	}
    }
    
    
    # Slight variation- do the same, but don't put dots[i] in front
    # of cmd (reported on vuln-dev)
    
    for(d=0;dir[d];d=d+1)
    {
    	for(i=0;uni[i];i=i+1)
    	{
    		url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], cmd);
    		if(check(req:url))exit(0);
    	}
    }
    
    
    

Oval

  • accepted2007-08-02T14:47:16.301-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    descriptionIIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.
    familywindows
    idoval:org.mitre.oval:def:909
    statusaccepted
    submitted2004-05-04T12:00:00.000-04:00
    titleWindows NT IIS System File Listing Privilege Elevation Vulnerability
    version28
  • accepted2005-02-16T12:00:00.000-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    descriptionIIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.
    familywindows
    idoval:org.mitre.oval:def:912
    statusaccepted
    submitted2004-05-04T12:00:00.000-04:00
    titleWindows 2000 IIS System File Listing Privilege Elevation Vulnerability
    version66