MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)

high Nessus Plugin ID 10671

Synopsis

Arbitrary commands can be executed on the remote web server.

Description

When IIS receives a user request to run a script, it renders the request in a decoded canonical form, and then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server.

Solution

Microsoft has released a set of patches for IIS 4.0 and 5.0.

See Also

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-026

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044

Plugin Details

Severity: High

ID: 10671

File Name: iis_decode_bug.nasl

Version: 1.63

Type: remote

Family: Web Servers

Published: 5/15/2001

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:microsoft:iis

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/15/2001

Vulnerability Publication Date: 5/15/2001

Exploitable With

CANVAS (CANVAS)

Metasploit (MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution)

Reference Information

CVE: CVE-2001-0333, CVE-2001-0507

BID: 2708, 3193

MSFT: MS01-026, MS01-044

MSKB: 288855, 293826, 294370, 294774, 295534, 297860, 298340, 301625, 304867, 305359