HTTP: IIS Double Percentage Encoding (2)
This signature detects %% encoded in a URL. Microsoft Internet Information Services (IIS) uses special techniques to decode URLs. Attackers can be attempting to exploit these IIS techniques to evade detection by IDP.
Extended Description
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability.
Affected Products
Microsoft iis
Short Name
HTTP:IIS:ENCODING:PERC-PERC-2
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
(2) CVE-2001-0333 CVE-2014-6287 Double Encoding IIS Percentage bid:2708
Release Date
03/17/2005
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Rarely
Vendors
Microsoft
CVSS Score
7.5
10.0