Re: double decode: to slash or not to slash.

From: H D Moore (hdmat_private)
Date: Wed Jul 04 2001 - 14:00:14 PDT

Next message: warning3: "Re: double decode: to slash or not to slash."

Previous message: H D Moore: "Re: Win9x netbios pass verif. exploit for unix"
In reply to: Roelof: "double decode: to slash or not to slash."
Next in thread: warning3: "Re: double decode: to slash or not to slash."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday 04 July 2001 06:43 am, Roelof wrote:
> Hi all.
>
> Strange thing with double decode problem on IIS. Refer:
> http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
>
> Most scanners (including the Nessus plugin) checks for the problem using
> the following string:
>
> /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir

Woops, you are right.   I have noticed the same behavior in the field with 
both the nessus plugin and my unicoder.pl script.  Is it only the %255c 
sequence that you have seen with this problem ? Since %255c double-decodes to 
"/", the problem could be that IIS is only allowing directory transversal 
(via ..) when the target directory is double-encoded, so that final ../ needs 
to be ..%255c for it to go through.  

-HD

Next message: warning3: "Re: double decode: to slash or not to slash."
Previous message: H D Moore: "Re: Win9x netbios pass verif. exploit for unix"
In reply to: Roelof: "double decode: to slash or not to slash."
Next in thread: warning3: "Re: double decode: to slash or not to slash."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 17:26:47 PDT