Signature Detail

HTTP: Microsoft IIS Multiple Extensions Security Bypass

This signature detects attempts to exploit a known vulnerability against Microsoft IIS Web Servers. Attackers can bypass certain security restrictions and compromise a vulnerable system. Note: In it's default configuration Microsoft Internet Information Server is not vulnerable to this issue. Administrators must have insecurely configured the system in order to be exploited.

Extended Description

Microsoft IIS is prone to a security-bypass vulnerability. This vulnerability may cause IIS to interpret unexpected files as CGI applications. Attackers may be able to exploit this vulnerability to bypass intended security restrictions. UPDATE (December 25, 2009): Reports indicate that IIS 7.5 is not vulnerable to this issue. Furthermore, it is currently unknown whether IIS 7.0 is vulnerable. UPDATE (December 29, 2009): Reports indicate that IIS 5.0 SP1 under Windows XP SP 3 and IIS 7.0 under Windows Server 2008 are not affected. NOTE: This BID is being retired. For an exploit to succeed, IIS must be configured in a nondefault way and contrary to the vendor's recommended best practices.

Affected Products

• Microsoft iis 1.0
• Microsoft iis 2.0
• Microsoft iis 3.0
• Microsoft iis 4.0
• Microsoft iis 5.0
• Microsoft iis 5.1
• Microsoft iis 6.0

References

• BugTraq: 37460
• CVE: CVE-2009-4444
• URL: http://www.owasp.org/index.php/Unrestricted_File_Upload
• URL: http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
• URL: http://isc.sans.edu/diary.html?storyid=7810