A Computer Emergency Response Team (CERT) advisory issued today said a
serious vulnerability in Microsoft IIS may allow remote intruders to execute
commands on an IIS Web server.
The advisory, titled CA-2001-12 Superfluous Decoding Vulnerability in IIS,
warned that a vulnerability closely resembling a previous vulnerability in
IIS has again reared its ugly head.
The problem, said Shawn Hernan, an Internet security analyst for the CERT
Coordination Center, a computer security organization based at Pittsburgh’s
Carnegie Mellon University, was discovered by NSFocus, a Chinese
consultancy during a routine software check.
A successful exploitation of the vulnerability would let an intruder execute commands on a Web server, replace pages, attempt to gain other privileges and monitor transactions.
Hernan said a hacker would not be able to gain direct administrative control of a machine.
“There’s a safe inside a house and this lets you get into the house,” he said.
The “house” can be entered because IIS decodes some of the input twice and the second decoding is
superfluous. When security checks are applied to the results of the first decoding IIS utilizes the results of the second decoding opening it up wide for intrusion.
“If the results of the first decoding pass the security checks and the
results of the second decoding refer to a valid file, access will be granted
to the file even if it should not be,”the
To reduce exposure to the problem the advisory recommends users configure
Web servers according to these guidelines:
Microsoft has also provided a patch to fix the problem.
Hernan noted that the rather “large” patch would include roll-ups of other patches that were applied to past Microsoft software vulnerabilities, including a catch-up patch for IAS.