By Chris Prosise and Saumil Udayan Shah

If a tree falls in the forest and no one hears it, does it make a sound? Giving that old phrase a new twist, if one of the most popular Web servers in use today has a major security vulnerability that can bring down servers, will we hear about it? While the answer should be a resounding yes, we are amazed at how many system administrators have turned a deaf ear. One particularly troublesome bug in Microsoft’s IIS server has plagued many in the Internet community for the past eight months. This bug (and its variants) lets remote attackers gain the equivalent of interactive access to the Web server.

In fairness to Microsoft, all vendors of popular software experience bugs. Microsoft has addressed this particular problem and provided patches as well as security guidelines for IIS. However, many sites still have this weakness. We have encountered this vulnerability during virtually all of our network assessments. Furthermore, due to the complexity of the bug, some commercial and free security scanners do not adequately test for its existence. Our goal today is to demonstrate firsthand the danger of the Unicode and superfluous decode bugs in IIS servers and to provide system administrators with the necessary resources to patch these problems.

The Unicode bug
Our look at this problem begins with its scope. According to, IIS 4.0 and IIS 5.0 on Windows NT 4.0 up through SP6A and Windows 2000 through SP2 are all vulnerable. That’s about as universal as a security problem gets.

One of the reasons that the vulnerability may not have been well publicized or tested is that it’s so complex. Successful exploitation of the vulnerability depends on a variety of factors. A number of configuration elements influence how the exploit must be executed. Attackers with a thorough understanding of the vulnerability can easily exploit the different cases, while average system administrators will likely believe that their sites are secure after a generic attempt fails. In the following example, we show a successful exploit that illustrates a bit of the complexity. For our illustration, we use IIS on Windows NT 4.0 SP4, but many other IIS and Windows versions would also be suitable.

The Unicode and superfluous decode vulnerabilities are directory traversal vulnerabilities. They allow an attacker to access files outside of the Web root directory. Our first goal is to discover the Web root directory. We can do this by forcing the Web server to give us error messages that disclose the location of this directory. To do this, we’ll take advantage of a well-known idq bug by requesting the nonexistent file bogus.idq, as shown in Figure A.

Figure A: Notice that the Web root directory is displayed as E:Inetpubwwwrootbogus.idq.

Now we know the Web root and we’ve verified that the idq bug exists. We’ll use it again in a moment. Our next step is to find a directory that is on the same drive as winntsystem32 so that we can access cmd.exe. Generally this is the C: drive, but it can vary widely. We need this directory, because we will use the Unicode bug to traverse to the location of cmd.exe and execute commands. How do we find a directory? On default installations of IIS, many such directories may exist (Figure B).

Figure B: Note the names of the directories–some you will recognize; others are not as familiar.

The bug’s habitat
We’ll attempt to locate the scripts directory (a commonly exploited directory). Of course, any directory shown in Figure 2 might work, as well as a few others. Figure C shows what happens when we look for the scripts directory.

Figure C: The 403 error indicates the directory exists but we do not have permission to view it.

Perfect! All an attacker wants is to verify that the directory is there. Next, we find the directory’s location on the operating system using the idq bug, as shown in Figure D.

Figure D: The scripts’ contents are two levels deep, below both the Inetpub and scripts directories. We will use this information for the actual exploitation of the Unicode attack.

The Unicode attack relies on substituting Unicode characters for the / symbol that normally indicates directories. In this way, a malicious user can circumvent the Web root restrictions to access resources outside of the Web root. Remember when we said the attack was complex? Part of the complexity comes from using a large number of Unicode substitutions for the /. No single one will work on every install or version of IIS and Windows. Picking the correct string means testing a wide variety of possibilities. The vulnerability database lists the various possibilities in its description of the Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability:

The superfluous decode bug
The superfluous decode bug adds a few variations on the Unicode theme. In our example, replacing / with %c1%9c will work. We use this substitution to call cmd.exe with options appropriate for listing out the contents of the current directory. We use the string in our browser. Figure E demonstrates what happens when we combine what we’ve learned so far.

Figure E: We now have the ability to execute commands on the remote Web server using only a browser. The implications of this are staggering. With the ability to execute commands, an attacker can perform file transfers, execute commands, or gain interactive access through other channels.

We’ve performed all of these actions during network assessments, and we’ve seen firsthand the evidence left behind after hackers have done these things. Compounding the problem, these attacks can also take place over an encrypted channel.

We hope that you appreciate the extent of this vulnerability. It has been our experience that this problem is often overlooked or inadequately addressed. However, the level of access provided and the widespread nature of the affected software are reasons enough for system administrators to take immediate corrective actions. The solutions to the problem are straightforward and well documented in the security resources section at Microsoft’s TechNet IIS Security page.

This section of Microsoft’s Web site provides valuable information on the exploit via the security bulletins, as well as comprehensive IIS 4.0 and IIS 5.0 security checklists. If system administrators had installed IIS as recommended in the checklists, these vulnerabilities would in most cases never have affected them. As always, an ounce of prevention is worth a pound of cure–sometimes more!

Chris Prosise is the vice president of professional services at Foundstone, a network security firm specializing in consulting and training. Formerly a U.S. Air Force officer and a Big 5 consultant, Chris is the coauthor of Incident Response: Investigating Computer Crime and is an adjunct professor at Carnegie Mellon University. Chris holds a B.S. in electrical engineering from Duke University and is a Certified Information Systems Security Professional (CISSP).

Saumil Udayan Shah, principal consultant for Foundstone, provides information security consulting services to Foundstone clients. Shah specializes in ethical hacking and security architecture. He holds an M.S. in computer science from Purdue University and is a Certified Information Systems Security Professional (CISSP).