Reproduced against two default IIS installs (4.0 and 5.0): http://host/msadc/..%u00255c..%u00255c..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir+c:\ These boxes were vulnerable to unicode and the double decode, so I can't say for certain whether this affects patched systems. On Wednesday 19 September 2001 11:29 am, Felix Huber wrote: > I just wrote a NASL for this Bug. Its untested but I hope it works. > The problem was I found no IIS where I could reproduce this error ( I > testet five IIS 4 and IIS 5 Boxes ). > I will improve it when i found a working Box ... > > Btw: I also updated the CF Admin Test. > > > MfG > Felix Huber > > > ------------------------------------------------------- > Felix Huber, Security Consultant, Webtopia > Guendlinger Str.2, 79241 Ihringen - Germany > huberfelixat_private (07668) 951 156 (phone) > http://www.webtopia.de (07668) 951 157 (fax) > (01792) 205 724 (mobile) > ------------------------------------------------------- > > > From: "ALife // BERG" <buginfoat_private> > To: <Bugtraqat_private> > Sent: Wednesday, September 19, 2001 11:38 AM > Subject: New vulnerability in IIS4.0/5.0 > > > -----[ Bright Eyes Research Group | Advisory # be00001e > > ]----------------- > > > > Remote users can execute any command on several > > IIS 4.0 and 5.0 systems by using UTF codes > > > > -------------------------------------[ security.instock.ru > > ]-------------- > > > > Topic: Remote users can execute any command on several > > IIS 4.0 and 5.0 systems by using UTF codes > > > > Announced: 2001-09-19 > > Credits: ALife <buginfoat_private> > > Affects: Microsoft IIS 4.0/5.0 > > > > ------------------------------------------------------------------------- > >- > > > > ---[ Description > > > > For example, target has a virtual executable directory (e.g. > > "scripts") that is located on the same driver of Windows system. > > Submit request like this: > > > > http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\ > > > > Directory list of C:\ will be revealed. > > > > Of course, same effect can be achieved by this kind of processing > > to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c", > > "..%u0025%u005c" ... > > > > Note: Attacker can run commands of IUSR_machinename account privilege > > only. > > > > This is where things go wrong in IIS 4.0 and 5.0, IIS first scans > > the given url for ../ and ..\ and for the normal unicode of these > > strings, if those are found, the string is rejected, if these are > > not found, the string will be decoded and interpreted. Since the filter > > does NOT check for the huge amount of overlong unicode representations > > of ../ and ..\ the filter is bypassed and the directory traversalling > > routine is invoked. > > > > ---[ Workarounds > > > > 1. Delete the executable virtual directory like /scripts etc. > > 2. If executable virtual directory is needed, we suggest you to > > assign a separate local driver for it. > > 3. Move all command-line utilities to another directory that could > > be used by an attacker, and forbid GUEST group access those > > utilities. > > > > ---[ Vendor Status > > > > 2001.09.19 We informed Microsoft of this vulnerability. > > > > ---[ Additional Information > > > > [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode. > > RFC 2152 > > [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646. > > RFC 2279 > > [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String > > Representation of Distinguished Names. > > > > ---[ DISCLAIMS > > > > THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG) > > "AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL WARRANTIES, > > EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. > > IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING > > DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR > > SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH > > DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT > > THE ADVISORY IS NOT MODIFIED IN ANY WAY. > > > > -------------------------------------[ security.instock.ru > > ]-------------- -----[ Bright Eyes Research Group | Advisory # be00001e > > ]----------------- -- H D Moore http://www.digitaldefense.net - work http://www.digitaloffense.net - play
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 09:56:00 PDT