The Directory Traversal Vulnerability on Microsoft IIS 4 and 5 servers was
a significant vulnerability and a harsh reality check for the industry as a
whole. The primary concern here is not in the specific vulnerability outlined
below, but the fact that the Security and technology administrators proved the
- System and Network Administrators do NOT apply patches to their systems
- Microsoft Developers are NOT developing secure software
- If you give malicious users an inch, they will take a mile
The exploitation of this vulnerability could have been completely avoided if all
system administrators applied a patch in August of 2000. However, they did not,
and due to this, many web servers were attacked using this vulnerability. Defacements
were not the primary problem here though. Malicious script writers, those who
create Trojans and Virus, took this exploit, used primarily for defacing at the
time, and created perhaps the worst worm in the internet history, NIMDA. This
is why I have chosen to write a comprehensive practical on the entire vulnerability
with some of its history outlined. As well as steps to take to protect yourself
from this vulnerability. If all System Administrators would have taken these steps
back in August 2000, perhaps the Code Red, Nimda and other programs, worms and
Trojans would never have been created.
In this practical, you will learn the following:
- What Unicode is
- Microsoft Vulnerability exploited by Unicode
- How the exploit works
- Modern day examples
- How to Identify an attack
- How to protect yourself from it
Table of Contents
Table of Contents
- Targeted Port
- Exploit Details
- Description of Variants
How does it work?
- What is it
- CERT Example
NET USE Example
- Example of Exploit
Utilization of Exploit
- IIS Logs
- How do I protect My Systems
- Windows 2000(All Versions) and NT 4(All Versions)
Personal Web Server 4 (Windows 98)
Vulnerability in the News
References and Citations
This practical was written by picking a top 10 port that appeared on the CID
graph at the time of writing. I chose a graph from September 8th, 2001, as displayed
in Figure 1.
Figure 1: CID Graph
Targeted Port: Port 80
- Port 80 is a reserved port number for HTTP Hypertext Transfer Protocol).
A Request for Comments (RFC) for this can be found at: http://www.w3.org/Protocols/rfc2616/rfc2616.html
- The most commonly associated service with port 80 is web services.
- Port 80 typically uses the protocol HTTP - The Hypertext Transfer Protocol.
It is an application level protocol. This protocol is used in distribution,
collaborative, hypermedia information systems. HTTP is a connectionless, stateless
protocol that can be used for a number of different purposes such as name
servers and distributed object management systems. It achieves this through
extensions of its request methods, error codes and headers. A prominent feature
of HTTP is the typing and negotiation of data representation, allowing systems
to be built independently of the data being transferred.
HTTP is also used as a generic protocol for communication between client applications
and proxies/gateways to other internet systems. This includes those supporting
Because of this, HTTP allows a basic hypermedia access to other resources available
from other applications.
The above information was gathered from RFC 2616 and that can be referenced
Name: Directory Traversal
- IIS 5
Microsoft NT 4 Server with IIS
Microsoft NT 4 Workstation with IIS
Microsoft NT 4 Server and Workstation SP1 with IIS
Microsoft NT 4 Server and Workstation SP2 with IIS
Microsoft NT 4 Server and Workstation SP3 with IIS
Microsoft NT 4 Server and Workstation SP4 with IIS
Microsoft NT 4 Server and Workstation SP5 with IIS
Microsoft NT 4 Server and Workstation SP6 with IIS
Microsoft NT 4 Server and Workstation SP6a with IIS
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP 1
Microsoft Windows 2000 Professional SP 2
Microsoft Windows 2000
Microsoft Windows 2000 SP 1
Microsoft Windows 2000 SP 2
Microsoft Server 2000
Microsoft Server 2000 SP 1
Microsoft Server 2000 SP 2
Microsoft Advanced Server 2000
Microsoft Advanced Server 2000 SP 1
Microsoft Advanced Server 2000 SP 2
Microsoft Datacenter Server 2000
Microsoft Datacenter Server 2000 SP 1
Microsoft Datacenter Server 2000 SP 2
Microsoft Windows 98 w/personal web server 4
This vulnerability affects all versions of Windows with IIS 5 installed and
running and the Personal Web Server 4 on Windows 98. It is also commented that
this will work on NT 4. For the purpose of this Practical, all my tests were
done against Microsoft Windows 2000 with IIS 5 running. The Directory Traversal
vulnerability focuses on the Web service within IIS.
Brief Description: In November
of 2000, NSFOCUS reported that vulnerability exists with regards to the way
IIS handles a request for an executable file. In addition to the mishandling
of the executable request, an attacker could also follow the request with some
commands for the executable.
Description of Variants
The Unicode exploit was discovered in October 2000. Since its initial conception,
which is covered in the Advanced Incident Handling and Hacker Exploit class
taught by SANS, there have been updates to this vulnerability. In addition to
these updates, attackers have also learned how to better use this exploit to
manipulate systems. This practical will cover the more popular to date. Listed
below you will find the Microsoft updates as they were announced:
How does it work?
This exploit works by an attacker constructing a URL that would cause IIS to
navigate to any desired folder in the same logical drive and access the files
in it. This can be achieved by using the Unicode character representations of
"/" and "\". This allows a user to traverse the server to
any directory on the same logical drive as the web application. In addition
to this, unauthenticated users can perform the following: delete, modify or
execute in these directories. This is possible because by default, an attacker
will use the IUSR_machinename account. This account is, by default, a member
of the Everyone and Users group. By using this method, a remote user with no
credentials the same rights as a user who could successfully log on. Therefore,
any file on the same logical drive as any web-accessible file that is accessible
to these groups, can be manipulated.
What is it ?
To get a better understanding of the Directory Traversal Vulnerability, let"s
take a look at Unicode. Unicode provides a unique number for every character.
Unicode is completely independent and does not rely on the following in any
The Unicode standard has been adopted by such industry leaders as Apple, HP,
IBM, JustSystem, Microsoft, Oracle, SAP, Sun, Sybase, Unisys and many others
and is implemented in many Operating Systems and Internet Browsers. Unicode
is incorporated into programming languages such as Java, Corba, XML, WML and
Unicode attempts to provide a solution to electronically map every character
of every language to a number equivalent. This would create over 65,000 characters
that must be broken down into a 16 bit character definition.
For this specific Vulnerability, we will be focusing on the following:
%c0%af = /
%c1%9c = \
The purpose of this practical is to focus on the Vulnerability, therefore,
I have decided to supply links to sites and information regarding Unicode versus
going into detail on Unicode and how it works.
For more specific information on this, Lucent has written a white paper on
it and can be located at: http://www.lucent.com/livelink/197020_Whitepaper.pdf
A good site for reference on the Unicode and UTF-8 can be found at: http://www.unicode.org.
Steven Shields wrote a practical for SANS that goes into details about how
Unicode works. This paper will provide details of the method used to transform
common characters into Unicode formatted characters. This paper can be referenced
To take this a step further. IIS restricts files on the server to access only
those files located in the web folders. The example below was taken from the
Cert Vulnerability Note VU#111677, which can be referenced at http://www.kb.cert.org/vuls/id/111677.
Therefore, if a user tries to access a file like this, it will fail because
IIS restricts access by default to files outside the web folders:
In addition, an attempt to execute a file not in a "marked as executable" directory
This would attempt to download the file instead of execute it.
Now let"s say an administrator wants an executable to be run by the viewer.
The administrator can do so by marking the directory in which the executable
lies "executable". Certain folders are already assigned as executable
folders by default in an IIS server, "Scripts" is an example of such a folder.
So if we take the following and try it again with this knowledge:
It would launch. Program.exe would also have to lie in the scripts directory
for this to be true. Now, how would you launch a file not in the Scripts folder,
in a non-executable privileged folder? Let"s add a twist to this, let"s trick
IIS to use the scripts executable settings on a different folder that doesn"t
have the right. This is where you will see the Directory Traversal vulnerability:
This will work because we use Unicode to bypass IIS checks and reference the
Scripts folder where the Scripts folder has executable rights, and direct the
privileges to the winnt/system32/cmd.exe file. In other words, launch cmd.exe
in the scripts folder.
NET USE Example
If NetBIOS is installed on the target machine, and there are no filtering devices
between you and the target (e.g. firewall, router) that deny or drop NetBIOS
connection attempts, this is another possible attack using the Directory Traversal
As you can see, we use the same technique as described in the example above,
with the addition of c+net+use+\\servername\sharename.
c+net+use is the input we want in the cmd.exe that we launched. In other words,
launch cmd.exe and input into that the command net use. When we use the command
net use, we must specify the name of the server we
want to attach to and the share we want to use. This information can be gathered
multiple ways, which I will not go into. With this command, we have mounted
a share on the target system. Now files can be copied, uploaded and downloaded
by the attacker. An attacker could upload files or programs by using the Unicode
exploit and is important to note since the attacker could upload a Trojan, some
kind of remote control software, or even a key logger that will capture all
your keystrokes, and your passwords that you use to enter sites like yahoo,
hotmail or even online banking.
If we look at a sample, we see the following:
Chinese Language Unicode, %c1%1c and %c0%2f, where this exploit was first discovered,
is illustrated by the first two listed above. If you try the Chinese Language
Unicode on an English Language IIS server, it will fail. The last two, %c0%af
and %c1%9c, are the English Unicode translations and will fail to exploit the
Chinese Language IIS servers.
To get a good grasp at how this works, let us take a closer look. For this
walk through we will examine:
This is the address of our target machine. It can consist of an IP or domain
Next we see the directory that has executable rights, the Scripts folder. Now
that we have referenced this, we will use the Unicode to take us back to root,
where we will traverse to the actual executable we want to run.
%c1%9c is Unicode for "\". In essence this takes us back to the root,
or the beginning of the drive (e.g. C: or D:).
Here we direct it to the folder where the executable lies. In this case, the
command shell executable, or CMD.exe, is located in the winnt/system 32 folder.
Finally, we see our request for the system to launch the cmd.exe executable.
The ?c+dir is the command that we want our executable to perform. Here, we ask
the CMD.exe to do a directory listing of its scripts directory. Why did it show
us the scripts directory? Because winnt/system 32 is the directory where cmd.exe
is located, but we ran it from the inetpub/scripts directory.
Example of Exploit
For further illustration, let"s see what this would actually look like. Figure
2 has a screen shot of the results of the command in an Internet Explorer browser.
Figure 2: Sample Output
In Figure 2, we can see how easy it is to view files on a vulnerable system.
Utilization of Exploit
There are many programs out there that exploit this vulnerability. One particular
one that comes with an easy to use GUI is eyeIS by parsec. They developed this
tool so that they could check their IIS servers quickly. To use this tool, you
can download it at http://www.parsec.de.tf/.
Once you have downloaded it, install it and launch the executable. I would like
to make a note on the opening banner.
Figure 3: Legal Banner
In Figure 3, the banner very clearly states that the author of eyeIS "may
log your IP address while using eyeIS." This program will send out, over
the internet, information about you and the system you scan. Therefore, I would
not recommend you scanning systems that you do not have permission to scan or
that are critical to you or your organization. Click the "Accept"
button, and you will see the main GUI as shown in Figure 4.
Figure 4: ParSec Gui
The first step is to tell eyeIS the TFTP client you wish to use. Almost all
Operating Systems have this built in, so click the "TFTP Settings"
button and input the IP address of the machine you are using eyeIS from. Then,
in the space where it says www.yourserver.com, put in a target IP address or
a URL that you wish to scan and click the "Connect" button. If it
is vulnerable, you will see a screen like the one shown in Figure 5.
Figure 5: ParSec Sample
EyeIS has added functionality beyond what I have described here. It also has
the ability to view text documents, upload netcat and then have obtained a limited
command shell with your target machine, and so on.
Another attack that will try and use this vulnerability is the NIMDA worm. The
NIMDA worm tries several different methods to try and exploit a system, and
one way is the IIS/PWS Extended Unicode Directory Traversal Vulnerability. Let"s
examine a screen shot of a W3SVC1 log on an IIS 5 server.
Figure 6: IIS Log
The key focus is shown in the last four lines of Figure 6. This is the NIMDA
worm trying to exploit this vulnerability on an IIS web server.
As you can see as illustrated above, this exploit can be used in many different
aspects. Everyone from System Administrators making tools to help you to people
writing Worms and hostile code have used this vulnerability.
The best place will be your IIS logs. They are located in your WINNT/SYSTEM32/LogFiles/
directory in Windows 2000. However, before you look in your logs, you should
ensure you are logging the right information so that your log files provide
you with the most useful of information. I recommend the following:
- Client IP Address
- User Name
- Service name
- Server IP Address
- Server Port
- URI stem
- URI Query
- Protocol Status
After you have ensured that your logging is correct, you can open your logs.
Figure 7 will show an actual portion of an IIS server on a windows 2000 machine.
In Figure 7, please pay note to the last four lines.
Figure 7: IIS Log
These four lines show the NIMDA worm trying to exploit the Directory Traversal
vulnerability so that it can infect your machine. In short, if you see any form
In your logs, someone is trying this vulnerability on your system.
Lance Spitzner, along with a group of security experts, run a project
called "The Honeynet Project." This project is designed to learn from
hackers and crackers. It is a network setup, to simulate a regular, real working
environment. The only difference is, that"s it is heavily monitored and logged
and it"s not a real company"s network. The project is documented well at their
web site http://project.honeynet.org.
One of the key pieces of this project is a part they call "Scan of the
Month." What they do is give you vital pieces of information, log files,
and etc, and ask you to figure out what has happened, how a system was exploited,
what exploit was used and so on. In February, 2001, they did a piece on the
Unicode Directory Traversal Attack. The reason I wish to mention it, is that
there are several papers written by people on it. They also include screen shots
and very specific definitions on this attack. In addition to this, the Honeynet
Team highlighted this attack on their networks in their book entitled "Know
Your Enemy". Let"s take a look at Figure 8. Here we see a specific packet
in a binary log format.
Figure 8: Unicode Binary
In this example, we do not see a specific request to the %c0%af
Unicode in the ASCII text portion. This is because it has already been decoded
for us. We must look into the HEX code to see it. If you examine the first 2
lines as illustrated in Figure 9, we see reference to the %c0%af
three separate times (CO AF as underlined in Figure 9). Remember, that is because
it was already decoded and is a good reason to always examine everything in
Figure 9: Unicode 2
How do I protect My Systems
Windows 2000(All Versions) and NT 4(All Versions)
There are a number of steps you can take to protecting your systems from the
IIS/PWS Unicode Directory Traversal Vulnerability. This patch will eliminate
the Directory Traversal Vulnerability. Microsoft makes suggestions in addition
to this patch to help secure your server:
The Microsoft Bulletin # MS00-078 that addresses this specific vulnerability
can be referenced at:
- · Configure IIS so that the web folder is on different logical drive
than your system. For example, put your web data on the D: drive and everything
else on the C: drive.
- Eliminate all unneeded files and folders from your site. For example, remove
the samples folder if you aren"t using them.
- Change the permissions of the IUSR_machinename so that it does not have
write permissions anywhere on your system.
Microsoft has released a Security patch for IIS. This patch contains a collection
of hotfixes for this and other known vulnerabilities. This patch can be referenced
and downloaded from: http://www.microsoft.com/windows2000/downloads/critical/q277873/default.asp
Microsoft has created a checklist of steps to follow when building a checklist.
Some key points include:
For more information on this Security checklist or to download the checklist,
- Setting appropriate ACL settings on Virtual Directories - Microsoft provides
suggestions concerning user rights to CGI, Script and other file types associated
with IIS and Web Services.
- Logging setup - Recommendations include using W3C logging and enabling the
following: Client IP, User Name, Method, URI Stream, HTTP Status, Win32 Status,
and User Agent.
- Disable or remove all sample applications located in the IIS samples virtual
directory, IIS Documentation virtual directory and the Data Access virtual
- Disable Parent Paths which allows someone to use the ".." in calls
to functions such as MapPath. This option is a default and this Microsoft
document will help you disable it.
Microsoft has released an IIS lockdown tool. This is a program they have developed
to help secure your IIS server from many of the recently discovered exploits.
This tool has two modes of installation. It has an Express Lockdown, which will
secure it with a single click of a button and an Advanced Lockdown mode which
gives you the choice of what services and options you want active on the server.
This tool offers an Undo option, in case you want to activate a service or option
later on or made a mistake during the initial lockdown, and a comprehensive
help system that give you information on the options it allows you to manipulate.
For further information or to download this tool, please go to:
SANS is now teaching IIS security in their Advanced Incident Handling and Hacker
Tools course. The new section in the GCIH was developed to cover the security
concerns with the implementation of IIS 5.0 and Windows 2000 SP1. It covers
such topics as:
Please note, however, that it was not developed as a step by step procedure
of hardening IIS. For further information about the SANS GCIH course, please
- Protocol Configuration of specifying DNS servers and the addition of domain
- Configuring services on the server - which ones to leave active and which
ones should be disabled.
- Configuring Terminal Services - settings and rights are just two of the
many topics they cover for this category.
Personal Web Server 4 (Windows 98)
This patch was created privately and advertised by Security Focus as a fix to
the Personal Web Server 4 package that many people installed on Windows 98.
This patch includes fixes for the MS99-010 (File Access Vulnerability in Personal
Web Server - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-010.asp
), MS00-078 (Patch for Web Server Folder Traversal Vulnerability - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp,)
MS00-86 (Web Server File Request Parsing Vulnerability - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-086.asp
) and MS01-026 (A cumulative patch for IIS containing the above mentioned security
bulletins. This patch is a combination of the Microsoft File Access Vulnerability
patch for Personal Web Server and Dynamic Link Libraries from the Superfluous
Decoding Operation that could Allow Command Execution via IIS. The patch can
be downloaded here:
Most Intrusion Detection Systems identify the Unicode Directory Traversal attack
today. The following have rules specific for Directory Traversal Exploits:
- ISS - Internet Security Scanner
- NFR - Network Flight Recorder
- Snort - www.snort.org
There is no exploit code required to manipulate this vulnerability. That is
what makes it very effective, quick and easy. But these facts make it a very
dangerous vulnerability. Anyone could type these lines into a URL of a browser
and start to do damage to your systems if you do not properly secure and patch
them. I would go so far as to say that the actual exploit source code would
be the Microsoft Operating System itself.
Vulnerability in the News
This vulnerability is interesting because I think it said a lot about system
administrators and their outlook on security. Even though this vulnerability
was discovered around November 2000, it was not until the following year that
it actually started making headlines that showed that many administrators did
not patch their systems. In addition to this, this vulnerability made news in
many different ways. From scriptors making scripts for attackers to use to Worm
creators implementing the exploit in their creation, as I outlined earlier.
On February 14 and 15, 2001, Arttrition.org posted the following sites that
were defaced using this vulnerability:
F-Secure released an article that outlined the entire NIMDA worm. In the beginning,
they make reference to this vulnerability, even though it is only part of the
worm, it is a significant part. You may find this article here:
Cert put out an advisory on November 20, 2000. This advisory goes into great
detail about how it works and is where I got my descriptive information from.
This Advisory can be found at:
Security Focus put out an advisory as well. Their advisory includes information
about the vulnerability, how it works, and how to protect you. It can be found
The "Sadmind" worm was one of the more popular Worms of the year. This Worm
started out on an infected Sun Solaris machine, and searched for other Solaris
machines as well as Microsoft IIS servers. If it found an IIS server, it would
attempt to infect it with a Web Folder Directory Traversal attack. There are
many articles on the Internet about this, and some of the better ones are:
References and Citations
Gettys, J.; Mogul, J.; Frystyk, H.; Leach, P.; Masinter, L.; Berners-Lee, T.
"Request For Comments: 2616." June 1999
"Simple Mail Transfer Protocol" August 1982
Kantor, Brian; Lapsley, Phil
"Network News Transfer Protocol" February 1986
Postel, J.; Reynolds, J.
"File Transfer Protocol" October 1985
Attrition.org, February 15, 2001
Attrition.org, February 15, 2001
Attrition.org, February 15, 2001
Attrition.org, February 14, 2001
"Microsoft Personal Web Server 4.0 Extended UNICODE Directory Traversal
and File Access Vulnerability Patch for Windows 95/98" June 19, 2001
Microsoft TechNet, March 26, 1999. URL:
Microsoft TechNet, October 17, 2000. URL:
Microsoft TechNet, November 30, 2000. URL:
Microsoft TechNet, August 20, 2001. URL:
Microsoft TechNet, August 23, 2001, Version 1.0. URL:
Microsoft TechNet, 2001
Microsoft Corporation, November 10, 2000
Paranoid Security 2001, ya_weakness, No|d, Version 0.99
Carnegie Mellon University, September 18, 2001, Document Revision 22
Microsoft TechNet, August 10, 2001 "File Permission Canonicalization"
Miller, Nate "Microsoft IIS Unicode Exploit" August 2001
"Gopher" April 8, 1995
Duda, Andrzej; Sheldon, Mark
"Content Routing in Networks of WAIS Servers" June 1994
Attrition.org, February 14, 2001
Tocheva, K; Erdelyi, G; Podrezov, S; Rautiainen, S.; Hypponen, M.
"NIMDA" September 19, 2001
Internet Security Systems
"Code Blue Worm" September 10, 2001
""Code Blue" Sighted in China" September 7, 2001
"Code Blue Targets China Firm" September 7, 2001
"Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability"
September 10, 2001.
Greene, Thomas, "Worm puts old IIS attack in full-auto mode". August
Canegie Mellon University. May 10, 2001.
Knight, Will. "Worm exploits Solaris to attack IIS sites" May 8,
The Honey Project Team. Know Your Enemy. Reading: Addison Wesley Longman, Inc.