It's been a rough two weeks for IIS security. On 1 May it was our solemn duty to report the IIS .printer ISAPI vulnerability (http://www.theregister.co.uk/content/4/18664.html); on 8 May we reported the sadmind/IIS worm (http://www.theregister.co.uk/content/8/18811.html); and today we have to inform you of a brand new stuff-up affecting IIS 4.0 and 5.0, handily exploited with a simple Unicode (http://www.unicode.org) trick.

An easily malformed file name can be used to load an executable CGI program through a double-decoding glitch (http://www.microsoft.com/technet/security/bulletin/MS01-026.asp) in IIS.

When an obfuscated file name passes the first decoding -- which, among other things, searches for .com and .exe extensions -- a second, superfluous decoding restores the name and grants access to the executable file, handily enabling an attacker to carry out a directory traversal and run arbitrary code outside the Web directory.

The vulnerability enables the execution of arbitrary code, denial of service attacks, and data disclosure -- which is a total drag if you have a file full of credit card details somewhere on your server.

The hole was originally discovered by nsfocus (http://www.nsfocus.com/english.php) on 27 March. After several delays requested by Microsoft, the announcement was finally made on 15 May.

It's similar to the hole exploited by the sadmind/IIS worm (http://www.theregister.co.uk/content/8/18811.html), but potentially more malicious. Lord knows it won't be long before we see this one similarly automated.

Best get those patches in place straight away. ®

Related Links

IIS 4.0 patch (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787)
IIS 5.0 patch (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764)