A number of recent worms‚including the Red Worm, Red Worm II, and Nimda worm‚have exploited Unicode vulnerabilities in the IIS server in order to achieve phenomenal growth. This article will describe and examine these vulnerabilities.
There are two major vulnerabilities: the IIS/PWS Exetended Unicode Directory Traversal Vulnerability and the IIS/PWS Escaped Character Decoding Command Execution Vulnerability.
IIS/PWS Exetended Unicode Directory Traversal Vulnerability
The IIS/PWS Extended Unicode Directory Traversal vulnerability relies on the fact that Windows machines utilize an underlying code, called Unicode, in order to encode characters. A single Unicode character is encoded using two octets. In Internet Information Server (IIS) an ASCII character can be represented by a Unicode character by using the following representation:
Normally, IIS checks URL strings to ensure that certain constructs do not occur. For example, the following string will be caught by the parser:
Representation Value (ASCII) %c0%af ‚/‚ %c1%9c ‚\‚
Obviously, the requester is attempting to access some parent of the ‚/scripts‚ directory, and IIS catches this and returns an HTTP 404 - File not found response. However, when the exact same request is made in the following form:
The response is:
Directory of c:\inetpub\scripts
10/01/2001 03:46p <DIR> . 10/01/2001 03:46p <DIR> .. 0 File(s) 0 bytes 2 Dir(s) 2,527,547,392 bytes freeThis vulnerability was originally described by an anonymous poster to the PacketStorm Windows mailinglist (on 10-OCT-2000, see http://188.8.131.52/cgi-bin/cbmc/forums.cgi?datopic=Windows&mesgcheck=defined&gum=474) and elaborated further by Rain Forest Puppy on Bugtraq (on 17-OCT-2000,