Internet Information Server Exploits

Double Dot -- Windows NT IIS 3.0 Exploit
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script. By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests. "DOUBLE DOT" Bug allows intruder to access any file on the same partition where your wwwroot directory is located (assuming that IIS_user has permission to read this file). It also allows intruder to execute any executable file on the same partition where your scripts directory is located (assuming that IIS_user has permission to execute this file). If cmd.exe file can be executed than it also allows intruder to execute any command and read any file on any partition (assuming that IIS_user has permission to read or execute this file).
Microsoft IIS 3.0 Service Pack 3 Fix
ASP Exploit -- Windows NT Active Server Page Exploit

To download an unprocessed ASP file, simply append a period to the asp URL.
For example: http://www.somewhere.com/something.asp becom http://www.somewhere.com/something.asp.
With the period appendage, Internet Information Server (IIS) will send the unprocessed ASP file to the Web client, wherein the source to the file can be examined at will. If the source includes any security parameter designed to allow access to other system processes, such as an SQL database, they will be revealed. ASP DATA Exploit
The native Windows NT file system, NTFS, supports multiple data streams within a file. The main data stream, that which stores the main content, is called DATA. Accessing this NTFS attribute directly from a browser may display the script code for the file. For example, accessing http://myserver/file.asp::$DATA may yield the contents of the file itself, not the processed results of the file. iis3-fix iis4-fix
FTP PROBLEM
The Internet Information Server FTP service includes a passive mode command (PASV) to request that the server wait for a connection instead of initiating one after receiving a transfer command. Certain situations using multiple passive connections may result in errors, problems with system performance as well as denial of service situations for both the WWW and FTP services. Server Administrators will see the following error in the System Event Log:

   FTP Server could not create a client worker thread for user at host
   <IPADDRESS>. The connection to this user is terminated. The data is
   the error.
Clients accessing either the WWW or FTP services might see messages such as the following:

 - Connection closed by remote host   -or-
 - The FTP session was terminated
ftp-fix
Ê
Index Server Exploit -- Windows NT IIS 3.0 Exploit
If the system administrator has left the default sample files on the Internet Information server, a hacker would have the opportunity of narrowing down their search for a username and password. A simple query of a popular search engine shows about four hu ndred websites that have barely modified versions of the sample files still installed and available. This file is called queryhit.htm. Many webmasters have neglected to modify the search fields to only search certain directories and avoid the script directories. Once one of these sites is located a search performed can easily narrow down the files a hacker would need to find a username and password. Using the sample search page it is easy to specify only files that have the word password in them and are script fi les (.asp or .idc files, cold fusion scripts, even .pl files are good). The URL the hacker would try is http://servername/samples/search/queryhit.htm then the hacker would search with something like "#filename=*.asp" When the results are returned not only can one link to the files but also can look at the "hits" by clicking the view hits link that uses the webhits program. This program bypasses the security set by IIS on script files and allows the source to be displa yed. Even if the original samples are not installed or have been removed a hole is still available to read the script source. If the server has Service Pack 2 fully installed (including Index Server) they will also have webhits.exe located in the path http://servername/scripts/samples/search/webhits.exe This URL can preface another URL on that server and display the contents of the script.
To protect your server from this problem remove the webhits.exe file from the server, or at least from it's default directory. I also recommend that you customize your server search pages and scripts (.idq files) to make sure they only search what you want - such as plain .HTM or .HTML files. Index Server is a wonderful product but be sure you have configured it properly. 
IIS Denial of Service -- Windows NT IIS 3.0 Exploit

Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." will crash IIS.
Ê
More to come....
Ê