Hi Maybe the target system has installed patch from MS00-078(MS00-057). Following words are from NSFOCUS's explanation : 2. Will systems with patch provided by MS00-078(MS00-057) be affected? MS00-078 and MS00-057 provide the same patch, which will perform a check of filename for ".\" and "./" after the first decoding. In case that such characters exist, request would be denied. Thus, it only casually addresses UNICODE vulnerability. By covering "./" or ".\" after the first decoding, an attacker can still successfully make use of "Decoding error" vulnerability. For example: "..%255c..%255cwinnt/system32/cmd.exe" will be converted into "..%5c..%5cwinnt/system32/cmd.exe" after the first decoding. Thus the request can bypass the security check. But "..%255c../winnt/system32/cmd.exe" will be converted into "..%5c../winnt/system32/cmd.exe" after the first decoding. Thus the attack fails since the decoded name contains './'. ---Original Message--- From : Roelof <roelofat_private> Date : Wed, 4 Jul 2001 13:43:21 +0200 (SAST) > Hi all. > > Strange thing with double decode problem on IIS. Refer: > http://www.microsoft.com/technet/security/bulletin/MS01-026.asp > > Most scanners (including the Nessus plugin) checks for the problem using > the following string: > > /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir > > replace directory with an executable directory, and replace %255c with any > combination of the double encoded string. It seems to work > fine (I have seen this as the only vulnerability on a box and > the scanner picks it up nicely) However...I have found two boxes (one > IISv4 and one IISv5) where it does not work...the weird thing is this - > the following string: > > /directory/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir > > DOES work. The only difference is the ../ in front of > /winnt/system32/blah. > > A note - if you are using a scanner that only checks for the first string > - please update - your site might be vulnerable. Arirang scanner does this > check properly. > > Why is this so? Are there two different problems here? Any comments? > > Regards, > Roelof. > > > Regards, warning3 <warning3at_private> http://www.nsfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 19:34:17 PDT