A vulnerability exists in Microsoft IIS which could enable a remote user to
execute arbitrary commands. This is due to the handling of CGI filename program
requests. By default IIS performs two seperate actions on CGI requests. The first
action decodes the filename to determine the filetype (ie. .exe, .com, etc.) and
the legitimacy of the file. IIS then carries out a security check. The final
process decodes the CGI parameters, which determines whether the file will be
processed or not. The final process includes an undocumented third action: not
only does IIS identify the supplied CGI parameters, but it also decodes the
previously security check approved CGI filename. Therefore, if a filename
composed of escaped characters passes the security check, the second process will
unescape the escaped characters contained in the filename, revealing the intended
Depending on what the escaped characters represent, varying actions may be performed.
For example, '..%255c' represents '..\', so decoding '..%255c' to '..\' could leverage
directory traversal attacks. The method by which this vulnerability is exploited could
allow the execution of arbitrary commands. It should be noted that these requests
are fulfilled in the context of the IUSR_machinename account. An attacker exploiting
this vulnerability may be able to gain access to the host with these privileges.
It may be possible for them to gain further privileges and completely compromise the
system from this point.
It has been reported that various encoding combinations under Windows 2000
Server and Professional may yield different outcomes. It has also been reported
that Personal Web Server 1.0 and 3.0 is vulnerable to this issue.