MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)

This script is Copyright (C) 2001-2014 Matt Moore / H D Moore


Synopsis :

Arbitrary commands can be executed on the remote web server.

Description :

When IIS receives a user request to run a script, it renders the
request in a decoded canonical form, and then performs security checks
on the decoded request. A vulnerability results because a second,
superfluous decoding pass is performed after the initial security checks
are completed. Thus, a specially crafted request could allow an
attacker to execute arbitrary commands on the IIS Server.

See also :

http://technet.microsoft.com/en-us/security/bulletin/ms01-026
http://technet.microsoft.com/en-us/security/bulletin/ms01-044

Solution :

Microsoft has released a set of patches for IIS 4.0 and 5.0.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 10671 (iis_decode_bug.nasl)

Bugtraq ID: 2708
3193

CVE ID: CVE-2001-0333
CVE-2001-0507