Microsoft IIs '..' hole

Summary
Description:ANOTHER stupid MS '..' bug, this time in their web server.
Author:possibly Thomas Lopatic (lopatic@dbs.informatik.uni-muenchen.de)
Compromise:Gain unauthorized access to files outside the public html directories.
Vulnerable Systems:Systems running a vulnerable IIs http server, mostly Windows NT boxes.
Date:26 July 1996
Details

Exploit:


From:  Thomas Lopatic (lopatic@dbs.informatik.uni-muenchen.de)
Date:  Fri, 26 Jul 1996 20:41:13 +0200 


> > and there is another
> >'..' error in their Internet Information Server. Anyone offering more?
>
> I have yet to see this error in IIS. Where and how does it exist?

Sorry for not disclosing. I thought I had seen that one on bugtraq. Suppose
there is a document 'http://dummy.com/Public/Index.htm' and 'Index.html' is
'C:\inetsrv\wwwroot\Public\Index.htm'. Then try getting
'http://dummy.com/Public/../../../autoexec.bat' which will give you
'C:\autoexec.bat'. It seems, however, that the first directory ('Public')
will be necessary, i. e. 'http://dummy.com/../../autoexec.bat' won't
work.

But now back to the Unix things.
-Thomas

--
Thomas Lopatic                               lopatic@informatik.uni-muenchen.de



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault