CVE-2001-0333
published 2001-06-27CVE-2001-0333: Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.77%
99.8th percentile
Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_information_server | <= 5.0 | — |
| microsoft | internet_information_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect double-encoded dot-dot-slash traversal sequences in HTTP request URIs targeting /scripts/ directory; key patterns include %255c, %%35c, %%35%63, %25%35%63, %252e, %%32%65, %25%32%65 ↗
- →Alert on HTTP GET requests to /scripts/ containing double-encoded traversal sequences followed by cmd.exe, indicative of CVE-2001-0333 exploitation ↗
- →The Nimda worm and its variants actively exploit this vulnerability; correlate IIS exploitation attempts with known Nimda indicators ↗
- →Arbitrary commands execute under the IUSR_machinename account; monitor for unexpected process spawning (e.g., cmd.exe) from IIS worker processes under this account ↗
- →Monitor IIS scripts directory for unexpected .exe files dropped by attackers (e.g., randomly named executables copied from cmd.exe or Metasploit payloads) ↗
- →Detect attrib.exe invocations removing read-only/hidden/system flags on files within C:\inetpub\scripts\ as a post-exploitation cleanup indicator ↗
- ·Various double-encoding combinations may yield different outcomes depending on Windows version and locale; detection rules must cover all documented encoding variants ↗
- ·The Metasploit module targets port 80 by default but the RPORT option is configurable; detection should not be limited to port 80 alone ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j59q-fjq9-v929: Directory traversal vulnerability in IIS 5
ghsa_unreviewed·2022-04-30
CVE-2001-0333 [HIGH] GHSA-j59q-fjq9-v929: Directory traversal vulnerability in IIS 5
Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
VulnCheck
Microsoft Internet Information Services (IIS) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2001·CVSS 7.5
CVE-2001-0333 [HIGH] Microsoft Internet Information Services (IIS) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Microsoft Internet Information Services (IIS) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
Affected: Microsoft Internet Information Services (IIS)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=25275
No detection rules found.
Exploit-DB
Microsoft IIS/PWS - CGI Filename Double Decode Command Execution (MS01-026) (Metasploit)
exploitdb·2011-01-08
CVE-2001-0333 Microsoft IIS/PWS - CGI Filename Double Decode Command Execution (MS01-026) (Metasploit)
Microsoft IIS/PWS - CGI Filename Double Decode Command Execution (MS01-026) (Metasploit)
---
##
# $Id: ms01_026_dbldecode.rb 11513 2011-01-08 00:25:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/proto/tftp'
class Metasploit3 'Microsoft IIS/PWS CGI Filename Double Decode Command Execution',
'Description' => %q{
This module will execute an arbitrary payload on a Microsoft IIS installation
that is vulnerable to the CGI double-decode vulnerability of 2001.
NOTE: This module will leave a metasploit payload in the IIS scripts directory.
}
Exploit-DB
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (2)
exploitdb·2001-05-16
CVE-2001-0333 Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (2)
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (2)
---
// source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and
Exploit-DB
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (7)
exploitdb·2001-05-15
CVE-2001-0333 Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (7)
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (7)
---
source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and cir
Exploit-DB
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (4)
exploitdb·2001-05-15
CVE-2001-0333 Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (4)
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (4)
---
// source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and
Exploit-DB
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (3)
exploitdb·2001-05-15
CVE-2001-0333 Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (3)
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (3)
---
source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and cir
Exploit-DB
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (1)
exploitdb·2001-05-15
CVE-2001-0333 Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (1)
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (1)
---
// source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and
Exploit-DB
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (5)
exploitdb·2001-05-15
CVE-2001-0333 Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (5)
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (5)
---
source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and cir
Exploit-DB
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (8)
exploitdb·2001-05-15
CVE-2001-0333 Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (8)
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (8)
---
source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and cir
Exploit-DB
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (6)
exploitdb·2001-05-15
CVE-2001-0333 Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (6)
Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (6)
---
source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and cir
Metasploit
MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution
metasploit
MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution
MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution
This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. This module has been tested successfully on: Windows 2000 Professional (SP0) (EN); Windows 2000 Professional (SP1) (AR); Windows 2000 Professional (SP1) (CZ); Windows 2000 Server (SP0) (FR); Windows 2000 Server (SP1) (EN); and Windows 2000 Server (SP1) (SE). Note: This module will leave a Metasploit payload exe in the IIS scripts directory.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=98992056521300&w=2http://www.cert.org/advisories/CA-2001-12.htmlhttp://www.securityfocus.com/bid/2708https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-026https://exchange.xforce.ibmcloud.com/vulnerabilities/6534https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1018https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A37https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A78http://marc.info/?l=bugtraq&m=98992056521300&w=2http://www.cert.org/advisories/CA-2001-12.htmlhttp://www.securityfocus.com/bid/2708https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-026https://exchange.xforce.ibmcloud.com/vulnerabilities/6534https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1018https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A37https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A78
2001-06-27
Published
Exploited in the wild