I can't reproduce this bug either - tested on a few servers (including some patched / unpatched for other dir traversal exploits.) I didn't bother to write a script for it, just tried it manually from a browser. This may be a hoax? Also, someone just sent a advisory and 'exploit' for wu-ftpd to vuln-dev, which apparently trashes your Hard drive.. anyone get this IIS exploit to work? Matt > -----Original Message----- > From: owner-plugins-writersat_private > [mailto:owner-plugins-writersat_private]On Behalf Of Felix Huber > Sent: 19 September 2001 17:29 > To: Renaud Deraison > Cc: plugins-writersat_private; nessus-develat_private > Subject: Fw: New vulnerability in IIS4.0/5.0 > > > I just wrote a NASL for this Bug. Its untested but I hope it works. > The problem was I found no IIS where I could reproduce this error > ( I testet > five IIS 4 and IIS 5 Boxes ). > I will improve it when i found a working Box ... > > Btw: I also updated the CF Admin Test. > > > MfG > Felix Huber > > > ------------------------------------------------------- > Felix Huber, Security Consultant, Webtopia > Guendlinger Str.2, 79241 Ihringen - Germany > huberfelixat_private (07668) 951 156 (phone) > http://www.webtopia.de (07668) 951 157 (fax) > (01792) 205 724 (mobile) > ------------------------------------------------------- > > > From: "ALife // BERG" <buginfoat_private> > To: <Bugtraqat_private> > Sent: Wednesday, September 19, 2001 11:38 AM > Subject: New vulnerability in IIS4.0/5.0 > > > > -----[ Bright Eyes Research Group | Advisory # be00001e > ]----------------- > > > > Remote users can execute any command on several > > IIS 4.0 and 5.0 systems by using UTF codes > > > > -------------------------------------[ security.instock.ru > ]-------------- > > > > Topic: Remote users can execute any command on several > > IIS 4.0 and 5.0 systems by using UTF codes > > > > Announced: 2001-09-19 > > Credits: ALife <buginfoat_private> > > Affects: Microsoft IIS 4.0/5.0 > > > > > -------------------------------------------------------------------------- > > > > ---[ Description > > > > For example, target has a virtual executable directory (e.g. > > "scripts") that is located on the same driver of Windows system. > > Submit request like this: > > > > http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\ > > > > Directory list of C:\ will be revealed. > > > > Of course, same effect can be achieved by this kind of processing > > to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c", > > "..%u0025%u005c" ... > > > > Note: Attacker can run commands of IUSR_machinename account privilege > > only. > > > > This is where things go wrong in IIS 4.0 and 5.0, IIS first scans > > the given url for ../ and ..\ and for the normal unicode of these > > strings, if those are found, the string is rejected, if these are > > not found, the string will be decoded and interpreted. Since the filter > > does NOT check for the huge amount of overlong unicode representations > > of ../ and ..\ the filter is bypassed and the directory traversalling > > routine is invoked. > > > > ---[ Workarounds > > > > 1. Delete the executable virtual directory like /scripts etc. > > 2. If executable virtual directory is needed, we suggest you to > > assign a separate local driver for it. > > 3. Move all command-line utilities to another directory that could > > be used by an attacker, and forbid GUEST group access those > > utilities. > > > > ---[ Vendor Status > > > > 2001.09.19 We informed Microsoft of this vulnerability. > > > > ---[ Additional Information > > > > [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode. > > RFC 2152 > > [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646. > > RFC 2279 > > [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String > > Representation of Distinguished Names. > > > > ---[ DISCLAIMS > > > > THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH > GROUP (BERG) > > "AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL > WARRANTIES, > > EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF > MERCHANTABILITY. > > IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING > > DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR > > SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE > POSSIBILITY OF SUCH > > DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS > PROVIDED THAT > > THE ADVISORY IS NOT MODIFIED IN ANY WAY. > > > > -------------------------------------[ security.instock.ru > ]-------------- > > -----[ Bright Eyes Research Group | Advisory # be00001e > ]----------------- > > > > >
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 09:44:28 PDT