Microsoft IIS relative path usage in system file process table could allow elevated privileges
| iis-relative-path-privilege-elevation (6985) |  High Risk |
Description:
Microsoft Internet Information Server (IIS) could allow an attacker to load files onto the Web server. This occurs because IIS keeps a list of executable files that run as part of the IIS process, which can be specified using both absolute and relative paths. An attacker can load a malicious file with the same name as one of the process list files to any directory on the Web server and execute it to gain system level privileges.
Platforms Affected:
- Microsoft, IIS 5.0
Remedy:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS02-001. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS01-044, but it was superseded by the patch released with MS02-001.
For IIS:
Microsoft originally provided a patch for this vulnerability in MS01-044, but it has been superseded by the patch released with MS02-018 and MS06-062, and then superseded by the patch released with MS03-018. See References.
For Windows NT:
Microsoft originally provided a patch for this vulnerability in MS02-001, but it has been superseded with the patch released with MS02-018. See References.
Consequences:
Gain Privileges
References:
- CIAC Information Bulletin L-132, Microsoft Cumulative Patch for IIS at http://www.ciac.org/ciac/bulletins/l-132.shtml.
- Entercept Security Alert 08-15-01, Privilege Escalation Vulnerability in Microsoft IIS at http://www.entercept.com/news/uspr/08-15-01.asp.
- Microsoft Security Bulletin MS01-044, 15 August 2001 Cumulative Patch for IIS at http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx.
- Microsoft Security Bulletin MS02-001, Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data at http://www.microsoft.com/technet/security/bulletin/ms02-001.mspx.
- Microsoft Security Bulletin MS02-018, Cumulative Patch for Internet Information Services (Q319733) at http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx.
- Microsoft Security Bulletin MS02-062, Cumulative Patch for Internet Information Service (Q327696) at http://www.microsoft.com/technet/security/Bulletin/MS02-062.mspx.
- Microsoft Security Bulletin MS03-018, Cumulative Patch for Internet Information Service (811114) at http://www.microsoft.com/technet/security/bulletin/ms03-018.mspx.
- BID-3193: Microsoft IIS 5.0 In-Process Table Privelege Elevation Vulnerability
- CVE-2001-0507: IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the System file listing privilege elevation vulnerability.
Reported:
Aug 15, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net