Rapid7 Vulnerability & Exploit Database

Microsoft IIS Executable File Parsing Vulnerability

Back to Search

Microsoft IIS Executable File Parsing Vulnerability

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
12/19/2000
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

When Microsoft IIS receives a valid request for an executable file, the filename is then passed onto the underlying operating system which executes the file.

In the event that IIS receives a specially formed request for an executable file followed by operating system commands, IIS will proceed to process the entire string rather than rejecting it. Thus, a malicious user may perform system commands through cmd.exe under the context of the IUSR_machinename account which could possibly lead to privilege escalation, deletion, addition, and modification of files, or full compromise of the server.

In order to establish successful exploitation, the file requested must be an existing .bat or .cmd file residing in a folder that the user possesses executable permissions to.

Solution(s)

  • install-microsoft-patch-cd18042682677964248b02eb6eebfcde
  • install-microsoft-patch-80e061d942843849bc00f8a826095081

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;