Cyber Security Expo
A day in the life of Directory Traversal and IIS by Charles Hornat on 05/09/02


The Directory Traversal Vulnerability on Microsoft IIS 4 and 5 servers was a significant vulnerability and a harsh reality check for the industry as a whole. The primary concern here is not in the specific vulnerability outlined below, but the fact that the Security and technology administrators proved the following points:

  • System and Network Administrators do NOT apply patches to their systems
  • Microsoft Developers are NOT developing secure software
  • If you give malicious users an inch, they will take a mile

The exploitation of this vulnerability could have been completely avoided if all system administrators applied a patch in August of 2000. However, they did not, and due to this, many web servers were attacked using this vulnerability. Defacements were not the primary problem here though. Malicious script writers, those who create Trojans and Virus, took this exploit, used primarily for defacing at the time, and created perhaps the worst worm in the internet history, NIMDA. This is why I have chosen to write a comprehensive practical on the entire vulnerability with some of its history outlined. As well as steps to take to protect yourself from this vulnerability. If all System Administrators would have taken these steps back in August 2000, perhaps the Code Red, Nimda and other programs, worms and Trojans would never have been created.

In this practical, you will learn the following:

  • What Unicode is
  • Microsoft Vulnerability exploited by Unicode
  • How the exploit works
  • Modern day examples
  • How to Identify an attack
  • How to protect yourself from it

Table of Contents

Table of Contents
Targeted Port
Exploit Details
Operating System
Brief Description:
Description of Variants
How does it work?
What is it
CERT Example
NET USE Example
Example of Exploit
Utilization of Exploit
IIS Logs
Honeynet Project
How do I protect My Systems
Windows 2000(All Versions) and NT 4(All Versions)
Personal Web Server 4 (Windows 98)
Source Code
Vulnerability in the News
References and Citations


This practical was written by picking a top 10 port that appeared on the CID graph at the time of writing. I chose a graph from September 8th, 2001, as displayed in Figure 1.

Figure 1: CID Graph

Targeted Port: Port 80

  • Port 80 is a reserved port number for HTTP Hypertext Transfer Protocol). A Request for Comments (RFC) for this can be found at:
  • The most commonly associated service with port 80 is web services.
  • Port 80 typically uses the protocol HTTP - The Hypertext Transfer Protocol. It is an application level protocol. This protocol is used in distribution, collaborative, hypermedia information systems. HTTP is a connectionless, stateless protocol that can be used for a number of different purposes such as name servers and distributed object management systems. It achieves this through extensions of its request methods, error codes and headers. A prominent feature of HTTP is the typing and negotiation of data representation, allowing systems to be built independently of the data being transferred.

HTTP is also used as a generic protocol for communication between client applications and proxies/gateways to other internet systems. This includes those supporting the following:

Because of this, HTTP allows a basic hypermedia access to other resources available from other applications.

The above information was gathered from RFC 2616 and that can be referenced at:

Exploit Details

Name: Directory Traversal Vulnerability

Operating System:

Microsoft NT 4 Server with IIS
Microsoft NT 4 Workstation with IIS
Microsoft NT 4 Server and Workstation SP1 with IIS
Microsoft NT 4 Server and Workstation SP2 with IIS
Microsoft NT 4 Server and Workstation SP3 with IIS
Microsoft NT 4 Server and Workstation SP4 with IIS
Microsoft NT 4 Server and Workstation SP5 with IIS
Microsoft NT 4 Server and Workstation SP6 with IIS
Microsoft NT 4 Server and Workstation SP6a with IIS
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP 1
Microsoft Windows 2000 Professional SP 2
Microsoft Windows 2000
Microsoft Windows 2000 SP 1
Microsoft Windows 2000 SP 2
Microsoft Server 2000
Microsoft Server 2000 SP 1
Microsoft Server 2000 SP 2
Microsoft Advanced Server 2000
Microsoft Advanced Server 2000 SP 1
Microsoft Advanced Server 2000 SP 2
Microsoft Datacenter Server 2000
Microsoft Datacenter Server 2000 SP 1
Microsoft Datacenter Server 2000 SP 2
Microsoft Windows 98 w/personal web server 4

Protocols/Services: This vulnerability affects all versions of Windows with IIS 5 installed and running and the Personal Web Server 4 on Windows 98. It is also commented that this will work on NT 4. For the purpose of this Practical, all my tests were done against Microsoft Windows 2000 with IIS 5 running. The Directory Traversal vulnerability focuses on the Web service within IIS.

Brief Description: In November of 2000, NSFOCUS reported that vulnerability exists with regards to the way IIS handles a request for an executable file. In addition to the mishandling of the executable request, an attacker could also follow the request with some commands for the executable.

Description of Variants
The Unicode exploit was discovered in October 2000. Since its initial conception, which is covered in the Advanced Incident Handling and Hacker Exploit class taught by SANS, there have been updates to this vulnerability. In addition to these updates, attackers have also learned how to better use this exploit to manipulate systems. This practical will cover the more popular to date. Listed below you will find the Microsoft updates as they were announced:

  • MS00-057, posted in August 2000, is a security Bulletin that discusses the "File Permission Canonicalization" Vulnerability. This Vulnerability is unrelated to the Directory Traversal Vulnerability outlined in this practical. However, the patch to fix the File Permission Canonicalization Vulnerability fixed the Directory Traversal Vulnerability as well. Please note that this was a coincidence since the Directory Traversal Vulnerability was not discovered yet. For more information on the File Permission Canonicalization Vulnerability see Microsoft"s MS00-0057 Security Bulletin at:

  • MS00-078, posted October 17, 2000, was the first official Microsoft Security Bulletin pertaining to the "Web Server Folder Traversal" vulnerability. This Bulletin explains that the exploit this Bulletin refers to was eliminated by applying an earlier patch (MS00-057). Microsoft did not release a patch with this Bulletin. This Bulletin describes the threat of a malformed URL that would give an attacker the same rights as the IUSER_machinename user. This Bulletin goes on to describe the possibilities the attacker has, such as uploading and downloading files, delete and view files, and so on. Microsoft also mentions that they released this Bulletin to inform its customers that:

    • To inform its customers of the new vulnerability and the increased risk it poses.
    • To urge customers who haven"t already applied the patch to do so immediately.

    This bulletin can be found at:

  • MS00-086, posted on November 30, 2000, defines the "Web Server File Request Parsing" Vulnerability. This Bulletin discusses a vulnerability that would let an attacker run operating system commands on the web server. This is done by the attacker requesting a .bat or .cmd file and that file must exist on the web server being attacked. Like the MS00-0057 Bulletin, this Bulletin also does not deal directly with the Directory Traversal Vulnerability. However, the patch that accompanied this Bulletin did. This Bulletin received four updates in it"s life, the last update is the one we are focused on:

    • November 6, 2000 Microsoft issued this Bulletin and a patch for the "Web Server File Request Parsing" Vulnerability. This Bulletin explained what the vulnerability was and what to do to eliminate the threat.

    • o November 10, 2001, was the first update to MS00-086. This addition was added to "clarify the scope of the issue" as stated by Microsoft. The update explained that IIS 4.0 pre Service Pack 6 systems were also vulnerable and Microsoft added some more "information on additional restrictions of the vulnerability."
    • o November 21, 2000 was when the third update was added to this Bulletin. This update was added to "discuss the availability of a patch that addresses new variants of (the) vulnerability." More specifically, it was "updated to discuss two newly discovered variants of the original vulnerability" as stated by Microsoft.
    • o The final edit came on November 30, 2000, "It was updated to discuss a newly-discovered regression error in the IIS 5.0 patch and recommend that customers apply an updated version of the patch." It seems that customers who applied the MS00-086 patch made themselves vulnerable to the "Web Server Directory Traversal" discussed in MS00-078. Therefore, Microsoft created a new patch specifically for customers who applied the MS00-086 patch on their IIS 5 systems. The MS00-086 bulletin can be found at:

How does it work?

This exploit works by an attacker constructing a URL that would cause IIS to navigate to any desired folder in the same logical drive and access the files in it. This can be achieved by using the Unicode character representations of "/" and "\". This allows a user to traverse the server to any directory on the same logical drive as the web application. In addition to this, unauthenticated users can perform the following: delete, modify or execute in these directories. This is possible because by default, an attacker will use the IUSR_machinename account. This account is, by default, a member of the Everyone and Users group. By using this method, a remote user with no credentials the same rights as a user who could successfully log on. Therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups, can be manipulated.


What is it ?
To get a better understanding of the Directory Traversal Vulnerability, let"s take a look at Unicode. Unicode provides a unique number for every character. Unicode is completely independent and does not rely on the following in any way:

  • Platform
  • Program
  • Language

The Unicode standard has been adopted by such industry leaders as Apple, HP, IBM, JustSystem, Microsoft, Oracle, SAP, Sun, Sybase, Unisys and many others and is implemented in many Operating Systems and Internet Browsers. Unicode is incorporated into programming languages such as Java, Corba, XML, WML and so on.

Unicode attempts to provide a solution to electronically map every character of every language to a number equivalent. This would create over 65,000 characters that must be broken down into a 16 bit character definition.

For this specific Vulnerability, we will be focusing on the following:

%c0%af = /
%c1%9c = \

The purpose of this practical is to focus on the Vulnerability, therefore, I have decided to supply links to sites and information regarding Unicode versus going into detail on Unicode and how it works.

For more specific information on this, Lucent has written a white paper on it and can be located at:

A good site for reference on the Unicode and UTF-8 can be found at:

Steven Shields wrote a practical for SANS that goes into details about how Unicode works. This paper will provide details of the method used to transform common characters into Unicode formatted characters. This paper can be referenced at:


CERT Example
To take this a step further. IIS restricts files on the server to access only those files located in the web folders. The example below was taken from the Cert Vulnerability Note VU#111677, which can be referenced at Therefore, if a user tries to access a file like this, it will fail because IIS restricts access by default to files outside the web folders:

In addition, an attempt to execute a file not in a "marked as executable" directory will fail:

This would attempt to download the file instead of execute it.

Now let"s say an administrator wants an executable to be run by the viewer. The administrator can do so by marking the directory in which the executable lies "executable". Certain folders are already assigned as executable folders by default in an IIS server, "Scripts" is an example of such a folder. So if we take the following and try it again with this knowledge:

It would launch. Program.exe would also have to lie in the scripts directory for this to be true. Now, how would you launch a file not in the Scripts folder, in a non-executable privileged folder? Let"s add a twist to this, let"s trick IIS to use the scripts executable settings on a different folder that doesn"t have the right. This is where you will see the Directory Traversal vulnerability:

This will work because we use Unicode to bypass IIS checks and reference the Scripts folder where the Scripts folder has executable rights, and direct the privileges to the winnt/system32/cmd.exe file. In other words, launch cmd.exe in the scripts folder.

NET USE Example
If NetBIOS is installed on the target machine, and there are no filtering devices between you and the target (e.g. firewall, router) that deny or drop NetBIOS connection attempts, this is another possible attack using the Directory Traversal Vulnerability.\\servername\sharename

As you can see, we use the same technique as described in the example above, with the addition of c+net+use+\\servername\sharename.

c+net+use is the input we want in the cmd.exe that we launched. In other words, launch cmd.exe and input into that the command net use. When we use the command net use, we must specify the name of the server we want to attach to and the share we want to use. This information can be gathered multiple ways, which I will not go into. With this command, we have mounted a share on the target system. Now files can be copied, uploaded and downloaded by the attacker. An attacker could upload files or programs by using the Unicode exploit and is important to note since the attacker could upload a Trojan, some kind of remote control software, or even a key logger that will capture all your keystrokes, and your passwords that you use to enter sites like yahoo, hotmail or even online banking.

If we look at a sample, we see the following:


Chinese Language Unicode, %c1%1c and %c0%2f, where this exploit was first discovered, is illustrated by the first two listed above. If you try the Chinese Language Unicode on an English Language IIS server, it will fail. The last two, %c0%af and %c1%9c, are the English Unicode translations and will fail to exploit the Chinese Language IIS servers.

To get a good grasp at how this works, let us take a closer look. For this walk through we will examine:



This is the address of our target machine. It can consist of an IP or domain name.


Next we see the directory that has executable rights, the Scripts folder. Now that we have referenced this, we will use the Unicode to take us back to root, where we will traverse to the actual executable we want to run.


%c1%9c is Unicode for "\". In essence this takes us back to the root, or the beginning of the drive (e.g. C: or D:).


Here we direct it to the folder where the executable lies. In this case, the command shell executable, or CMD.exe, is located in the winnt/system 32 folder.


Finally, we see our request for the system to launch the cmd.exe executable. The ?c+dir is the command that we want our executable to perform. Here, we ask the CMD.exe to do a directory listing of its scripts directory. Why did it show us the scripts directory? Because winnt/system 32 is the directory where cmd.exe is located, but we ran it from the inetpub/scripts directory.

Example of Exploit

For further illustration, let"s see what this would actually look like. Figure 2 has a screen shot of the results of the command in an Internet Explorer browser.

Figure 2: Sample Output

In Figure 2, we can see how easy it is to view files on a vulnerable system.

Utilization of Exploit

There are many programs out there that exploit this vulnerability. One particular one that comes with an easy to use GUI is eyeIS by parsec. They developed this tool so that they could check their IIS servers quickly. To use this tool, you can download it at Once you have downloaded it, install it and launch the executable. I would like to make a note on the opening banner.

Figure 3: Legal Banner

In Figure 3, the banner very clearly states that the author of eyeIS "may log your IP address while using eyeIS." This program will send out, over the internet, information about you and the system you scan. Therefore, I would not recommend you scanning systems that you do not have permission to scan or that are critical to you or your organization. Click the "Accept" button, and you will see the main GUI as shown in Figure 4.

Figure 4: ParSec Gui

The first step is to tell eyeIS the TFTP client you wish to use. Almost all Operating Systems have this built in, so click the "TFTP Settings" button and input the IP address of the machine you are using eyeIS from. Then, in the space where it says, put in a target IP address or a URL that you wish to scan and click the "Connect" button. If it is vulnerable, you will see a screen like the one shown in Figure 5.

Figure 5: ParSec Sample

EyeIS has added functionality beyond what I have described here. It also has the ability to view text documents, upload netcat and then have obtained a limited command shell with your target machine, and so on.

Another attack that will try and use this vulnerability is the NIMDA worm. The NIMDA worm tries several different methods to try and exploit a system, and one way is the IIS/PWS Extended Unicode Directory Traversal Vulnerability. Let"s examine a screen shot of a W3SVC1 log on an IIS 5 server.

Figure 6: IIS Log

The key focus is shown in the last four lines of Figure 6. This is the NIMDA worm trying to exploit this vulnerability on an IIS web server.

As you can see as illustrated above, this exploit can be used in many different aspects. Everyone from System Administrators making tools to help you to people writing Worms and hostile code have used this vulnerability.


IIS Logs
The best place will be your IIS logs. They are located in your WINNT/SYSTEM32/LogFiles/ directory in Windows 2000. However, before you look in your logs, you should ensure you are logging the right information so that your log files provide you with the most useful of information. I recommend the following:

  • Client IP Address
  • User Name
  • Service name
  • Server IP Address
  • Server Port
  • Method
  • URI stem
  • URI Query
  • Protocol Status

After you have ensured that your logging is correct, you can open your logs. Figure 7 will show an actual portion of an IIS server on a windows 2000 machine. In Figure 7, please pay note to the last four lines.

Figure 7: IIS Log

These four lines show the NIMDA worm trying to exploit the Directory Traversal vulnerability so that it can infect your machine. In short, if you see any form of:

  • %c1%1c
  • %c0%2f
  • %c0%af
  • %c1%9c

In your logs, someone is trying this vulnerability on your system.

Honeynet Project
Lance Spitzner, along with a group of security experts, run a project called "The Honeynet Project." This project is designed to learn from hackers and crackers. It is a network setup, to simulate a regular, real working environment. The only difference is, that"s it is heavily monitored and logged and it"s not a real company"s network. The project is documented well at their web site

One of the key pieces of this project is a part they call "Scan of the Month." What they do is give you vital pieces of information, log files, and etc, and ask you to figure out what has happened, how a system was exploited, what exploit was used and so on. In February, 2001, they did a piece on the Unicode Directory Traversal Attack. The reason I wish to mention it, is that there are several papers written by people on it. They also include screen shots and very specific definitions on this attack. In addition to this, the Honeynet Team highlighted this attack on their networks in their book entitled "Know Your Enemy". Let"s take a look at Figure 8. Here we see a specific packet in a binary log format.

Figure 8: Unicode Binary

In this example, we do not see a specific request to the %c0%af Unicode in the ASCII text portion. This is because it has already been decoded for us. We must look into the HEX code to see it. If you examine the first 2 lines as illustrated in Figure 9, we see reference to the %c0%af three separate times (CO AF as underlined in Figure 9). Remember, that is because it was already decoded and is a good reason to always examine everything in your logs!

Figure 9: Unicode 2

How do I protect My Systems

Windows 2000(All Versions) and NT 4(All Versions)
There are a number of steps you can take to protecting your systems from the IIS/PWS Unicode Directory Traversal Vulnerability. This patch will eliminate the Directory Traversal Vulnerability. Microsoft makes suggestions in addition to this patch to help secure your server:

  • Configure IIS so that the web folder is on different logical drive than your system. For example, put your web data on the D: drive and everything else on the C: drive.
  • Eliminate all unneeded files and folders from your site. For example, remove the samples folder if you aren"t using them.
  • Change the permissions of the IUSR_machinename so that it does not have write permissions anywhere on your system.
The Microsoft Bulletin # MS00-078 that addresses this specific vulnerability can be referenced at:

Microsoft has released a Security patch for IIS. This patch contains a collection of hotfixes for this and other known vulnerabilities. This patch can be referenced and downloaded from:

Microsoft has created a checklist of steps to follow when building a checklist. Some key points include:

  • Setting appropriate ACL settings on Virtual Directories - Microsoft provides suggestions concerning user rights to CGI, Script and other file types associated with IIS and Web Services.
  • Logging setup - Recommendations include using W3C logging and enabling the following: Client IP, User Name, Method, URI Stream, HTTP Status, Win32 Status, and User Agent.
  • Disable or remove all sample applications located in the IIS samples virtual directory, IIS Documentation virtual directory and the Data Access virtual directory.
  • Disable Parent Paths which allows someone to use the ".." in calls to functions such as MapPath. This option is a default and this Microsoft document will help you disable it.
For more information on this Security checklist or to download the checklist, go to:

Microsoft has released an IIS lockdown tool. This is a program they have developed to help secure your IIS server from many of the recently discovered exploits. This tool has two modes of installation. It has an Express Lockdown, which will secure it with a single click of a button and an Advanced Lockdown mode which gives you the choice of what services and options you want active on the server. This tool offers an Undo option, in case you want to activate a service or option later on or made a mistake during the initial lockdown, and a comprehensive help system that give you information on the options it allows you to manipulate. For further information or to download this tool, please go to:

SANS is now teaching IIS security in their Advanced Incident Handling and Hacker Tools course. The new section in the GCIH was developed to cover the security concerns with the implementation of IIS 5.0 and Windows 2000 SP1. It covers such topics as:

  • Protocol Configuration of specifying DNS servers and the addition of domain suffixes.
  • Configuring services on the server - which ones to leave active and which ones should be disabled.
  • Configuring Terminal Services - settings and rights are just two of the many topics they cover for this category.
Please note, however, that it was not developed as a step by step procedure of hardening IIS. For further information about the SANS GCIH course, please go to:

Personal Web Server 4 (Windows 98)
This patch was created privately and advertised by Security Focus as a fix to the Personal Web Server 4 package that many people installed on Windows 98. This patch includes fixes for the MS99-010 (File Access Vulnerability in Personal Web Server - ), MS00-078 (Patch for Web Server Folder Traversal Vulnerability -,) MS00-86 (Web Server File Request Parsing Vulnerability - ) and MS01-026 (A cumulative patch for IIS containing the above mentioned security patches - bulletins. This patch is a combination of the Microsoft File Access Vulnerability patch for Personal Web Server and Dynamic Link Libraries from the Superfluous Decoding Operation that could Allow Command Execution via IIS. The patch can be downloaded here:


Most Intrusion Detection Systems identify the Unicode Directory Traversal attack today. The following have rules specific for Directory Traversal Exploits:

  • ISS - Internet Security Scanner
  • NFR - Network Flight Recorder
  • Snort -

Source Code

There is no exploit code required to manipulate this vulnerability. That is what makes it very effective, quick and easy. But these facts make it a very dangerous vulnerability. Anyone could type these lines into a URL of a browser and start to do damage to your systems if you do not properly secure and patch them. I would go so far as to say that the actual exploit source code would be the Microsoft Operating System itself.

Vulnerability in the News

This vulnerability is interesting because I think it said a lot about system administrators and their outlook on security. Even though this vulnerability was discovered around November 2000, it was not until the following year that it actually started making headlines that showed that many administrators did not patch their systems. In addition to this, this vulnerability made news in many different ways. From scriptors making scripts for attackers to use to Worm creators implementing the exploit in their creation, as I outlined earlier.

On February 14 and 15, 2001, posted the following sites that were defaced using this vulnerability:

F-Secure released an article that outlined the entire NIMDA worm. In the beginning, they make reference to this vulnerability, even though it is only part of the worm, it is a significant part. You may find this article here:

Cert put out an advisory on November 20, 2000. This advisory goes into great detail about how it works and is where I got my descriptive information from. This Advisory can be found at:

Security Focus put out an advisory as well. Their advisory includes information about the vulnerability, how it works, and how to protect you. It can be found at:

The "Sadmind" worm was one of the more popular Worms of the year. This Worm started out on an infected Sun Solaris machine, and searched for other Solaris machines as well as Microsoft IIS servers. If it found an IIS server, it would attempt to infect it with a Web Folder Directory Traversal attack. There are many articles on the Internet about this, and some of the better ones are:,4161,2716653,00.html

References and Citations

Gettys, J.; Mogul, J.; Frystyk, H.; Leach, P.; Masinter, L.; Berners-Lee, T.
"Request For Comments: 2616." June 1999

Postel, Jonathon
"Simple Mail Transfer Protocol" August 1982

Kantor, Brian; Lapsley, Phil
"Network News Transfer Protocol" February 1986

Postel, J.; Reynolds, J.
"File Transfer Protocol" October 1985
URL:, February 15, 2001
URL:, February 15, 2001
URL:, February 15, 2001
URL:, February 14, 2001

Raitzer, David
"Microsoft Personal Web Server 4.0 Extended UNICODE Directory Traversal and File Access Vulnerability Patch for Windows 95/98" June 19, 2001

Microsoft TechNet, March 26, 1999. URL:

Microsoft TechNet, October 17, 2000. URL:

Microsoft TechNet, November 30, 2000. URL:

Microsoft TechNet, August 20, 2001. URL:

Microsoft TechNet, August 23, 2001, Version 1.0. URL:

Microsoft TechNet, 2001

Microsoft Corporation, November 10, 2000

Paranoid Security 2001, ya_weakness, No|d, Version 0.99

Carnegie Mellon University, September 18, 2001, Document Revision 22

Microsoft TechNet, August 10, 2001 "File Permission Canonicalization"

Miller, Nate "Microsoft IIS Unicode Exploit" August 2001

Ullmer, Brygg
"Gopher" April 8, 1995

Duda, Andrzej; Sheldon, Mark
"Content Routing in Networks of WAIS Servers" June 1994
URL:, February 14, 2001

Tocheva, K; Erdelyi, G; Podrezov, S; Rautiainen, S.; Hypponen, M.
"NIMDA" September 19, 2001

Internet Security Systems
"Code Blue Worm" September 10, 2001

""Code Blue" Sighted in China" September 7, 2001

Delio, Michelle
"Code Blue Targets China Firm" September 7, 2001

Security Focus
"Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability"
September 10, 2001.

Greene, Thomas, "Worm puts old IIS attack in full-auto mode". August 5, 2001:

Canegie Mellon University. May 10, 2001.

Knight, Will. "Worm exploits Solaris to attack IIS sites" May 8, 2001

The Honey Project Team. Know Your Enemy. Reading: Addison Wesley Longman, Inc. 2001, 66-68

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.