Re: Unicode Attack

From: Daniel Polombo (polombo@cartel-securite.fr)
Date: Wed Nov 13 2002 - 11:27:41 PST

Next message: Vince Hillier: "RE: scans on port 57"

Previous message: Jeremy Junginger: "RE: Unicode Attack (FOLLOW UP)"
In reply to: Jeremy Junginger: "Unicode Attack"
Next in thread: Information Security: "RE: Unicode Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le mer 13/11/2002 à 15:51, Jeremy Junginger a écrit :

> Web log entries:
> 
> 2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET
> /scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321

Mmh, here you have a "normal" cmd.exe request : system32/cmd.exe

> INTERESTING NOTE:  The web logs indicate that the URL Requested was
> (correct me if I'm wrong) 
> http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir
> (possibly with a c:\ at the end).  
> 
> When running this URL against the server, it produces a 404 error on the
> server rather than listing the drive contents.  

And here you have system32.cmd.exe, which unsurprisingly produces a 404.

What *is* surprising is that the webserver logs don't show the actual
path.
 
> 3) Since there are few (if any) thorough Unicode scanners, is it
> possible to write a perl script that could check for all possible
> Unicode variants on a given web server to test the effectiveness of the
> URLSCAN and IISLOCKDOWN utilities (pre-change/post-change pen-test)?  I
> have some "shell" programs like uni.pl, but am a little confused about
> how to generate all of the possible combinations.

Unfortunately, you have to try and generate a list of possible
combinations all by yourself :

- there are a number of possibilities to build a '/' or '\' using the
unicode double decode thingie IIS is so proud of (must be, or they'd
have removed it long ago). Learn more about them here :

  http://www.wiretrip.net/rfp/p/doc.asp/i7/d57.htm

- there are countless possibilities to build a path going to cmd.exe.
Most of them should begin with a folder in your webroot from which the
webserver is able to execute scripts (ie, /scripts, /_vti_bin, and so
on).
 
Assuming you wish to generate such a list yourself, IIS shell (yet
another unicode exploit) uses a plain text file as a list of paths to
check for on the server. Find it here :

  http://www.cartel-securite.net/res/iisshell-1.3.tgz

Hope this helps,

   Daniel
> 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Vince Hillier: "RE: scans on port 57"
Previous message: Jeremy Junginger: "RE: Unicode Attack (FOLLOW UP)"
In reply to: Jeremy Junginger: "Unicode Attack"
Next in thread: Information Security: "RE: Unicode Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 13 2002 - 16:31:24 PST