RE: IIS/Unicode and authentication box

From: Bryan Allerdice (bryan_allerdiceat_private)
Date: Wed Jul 25 2001 - 13:09:58 PDT

Next message: Nicolas Gregoire: "Re: Tool kit assembly"

Previous message: Coffey, Christopher S.: "RE: Tool kit assembly"
In reply to: Vladimir Parkhaev: "IIS/Unicode and authentication box"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd point out to the customer that there are ways to brute-force the
username and password. If someone were to find a legitimate username
and password by brute-force, then they could exploit whatever holes
his IIS installation has - Unicode or otherwise.

(You'll find a HTTP-Auth brute-forcer program called ObiWaN at
http://www.phenoelit.de/obiwan/)

BRYAN

- -----Original Message-----
From: Vladimir Parkhaev [mailto:vladimirat_private]
Sent: Wednesday, July 25, 2001 9:03 AM
To: Penetration Testers
Subject: IIS/Unicode and authentication box




I am trying to show to a customer that his IIS server is vulnerable 
to unicode exploits.  However, access to his server is password
protected
(Require valid-user) I get "HTTP/1.1 401 Access Denied" and 
"You are not authorized to view this page".

As far as I am concerned, having password box does mean he does
not have to patch his web server. How can I show that his box
is vulnerable? Anybody? 

- -- 
print chr hex for qw +
2D 2D 0A 76 6C 61 64 69 6D 69 72 40 61 72 6F 62 61 73 2E 6E 65 74 0A
44 38
37 44 20 44 32 46 42 20 46 31 36 33 20 46 31 43 31 20 34 32 30 41 20
20 31
44 31 46 20 36 43 42 39 20 31 46 38 39 20 38 35 30 42 20 30 38 44 44
0A +;

- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus Security Intelligence
Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities
please see:
https://alerts.securityfocus.com/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO18nkYQImHalSbbtEQLh2wCgoGZHsML3Z+FAlFZ+eAAR+61XwL0AoNBA
z76obD8zgpOllPeOYZFsR4g2
=cDA0
-----END PGP SIGNATURE-----


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Nicolas Gregoire: "Re: Tool kit assembly"
Previous message: Coffey, Christopher S.: "RE: Tool kit assembly"
In reply to: Vladimir Parkhaev: "IIS/Unicode and authentication box"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 15:56:40 PDT