Rapid7 Vulnerability & Exploit Database

MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability

Back to Search

MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability



A vulnerability exists in Microsoft IIS which could enable a remote user to execute arbitrary commands. This is due to the handling of CGI filename program requests. By default IIS performs two seperate actions on CGI requests. The first action decodes the filename to determine the filetype (ie. .exe, .com, etc.) and the legitimacy of the file. IIS then carries out a security check. The final process decodes the CGI parameters, which determines whether the file will be processed or not. The final process includes an undocumented third action: not only does IIS identify the supplied CGI parameters, but it also decodes the previously security check approved CGI filename. Therefore, if a filename composed of escaped characters passes the security check, the second process will unescape the escaped characters contained in the filename, revealing the intended actions.

Depending on what the escaped characters represent, varying actions may be performed. For example, '..%255c' represents '..\', so decoding '..%255c' to '..\' could leverage directory traversal attacks. The method by which this vulnerability is exploited could allow the execution of arbitrary commands. It should be noted that these requests are fulfilled in the context of the IUSR_machinename account. An attacker exploiting this vulnerability may be able to gain access to the host with these privileges. It may be possible for them to gain further privileges and completely compromise the system from this point.

It has been reported that various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. It has also been reported that Personal Web Server 1.0 and 3.0 is vulnerable to this issue.


  • http-iis-0048

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center