ANOTHER pathetic IIS 3.0 vulnerability

Summary
Description:Microsoft CANNOT seem to handle dots at all in their programs, after fixing the name.asp. bug, the great guys at the l0pht found that their "fix" introduced another '.' bug. This time using the hex representation.
Author:Weld Pond <weld@l0pht.com&rt
Compromise:Remotely obtain .asp, .ht, .id, .PL files etc.
Vulnerable Systems:Those running vulnerable M$ IIS 3.0 web server
Date:21 March 1997
Details

Exploit: 
Date: Fri, 21 Mar 1997 16:19:44 -0500
From: Who cares what the hell goes into a Gecos field anyway!
     
Reply-To: Windows NT BugTraq Mailing List ,
    Who cares what the hell goes into a Gecos field anyway!
     
To: best-of-security@suburbia.net
Subject: BoS:       updated advisory (fwd)
Resent-Date: Sat, 22 Mar 1997 15:31:05 +1100 (EST)
Resent-From: best-of-security@suburbia.net

                       L0pht Security Advisory

                           (version 1.1)

                    Advisory released Mar 19 1997

                  Application: Microsoft IIS 3.0

             Vulnerability Scope: IIS 3.0 w/latest hot-fixes
                                  dated Feb 27 14:22:00

          Severity: Users can read the server side script
                    in .asp, .ht., .id, .PL files

                      Author: weld@l0pht.com

Overview:

Microsofts IIS 3.0 supports server side scripting using "Active Server
Pages" or .asp files.  These files are meant to execute and not be
visible to the user.  These scripts may contain sensitive information
such as SQL Server passwords.

Microsoft posted a patch on 2/27/97 to fix a problem that allowed web
users to display these files instead of executing them.  Their patch
opened up a new hole that allows users to still display these files.

In effect the patch doesn't work. If you installed the patch you
are still vulnerable.

Description:

A problems was discovered in IIS 3.0 that allowed users to read the
contents of .asp files by appending a '.' or a series of '.'s to the
end of a URL:

          http://www.mycompany.com/default.asp
becomes
          http://www.mycompany.com/default.asp.

Microsoft acknowledged the problem and released a hot-fix patch to IIS 3.0.
This is available from

    http://www.microsoft.com/iis/iisnews/hotnews/security.htm

This hot-fix solved the trailing '.' problem but opened up a new hole which
allows the same results - viewing the .asp file instead of executing it.

This is accomplished by replacing the '.' in the filename part of a URL
with a '%2e', the hex value for '.':

          http://www.mycompany.com/default.asp
becomes
          http://www.mycompany.com/default%2easp

Your browser will prompt you to save the file to disk where you can then
view the contents of the .asp file.

Web sites that have not installed the Microsoft IIS 3.0 hot-fix are not
affected by this problem although the trailing '.' method still works to
display the contents of the .asp file.

Microsoft has been notified of this problem.

---
Check out http://www.l0pht.com/advisories.html for other l0pht advisories
---
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: