Re: double decode: to slash or not to slash.

From: warning3 (warning3at_private)
Date: Wed Jul 04 2001 - 17:53:55 PDT

Next message: Jarno Huuskonen: "php / phplib session-id generation"

Previous message: H D Moore: "Re: double decode: to slash or not to slash."
In reply to: Roelof: "double decode: to slash or not to slash."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

Maybe the target system has installed patch from MS00-078(MS00-057).

Following words are from NSFOCUS's explanation :

2. Will systems with patch provided by MS00-078(MS00-057) be affected?

   MS00-078 and MS00-057 provide the same patch, which will perform a
   check of filename for ".\" and "./" after the first decoding. In case
   that such characters exist, request would be denied. Thus, it only 
   casually addresses UNICODE vulnerability. By covering "./" or ".\" after 
   the first decoding, an attacker can still successfully make use of 
   "Decoding error" vulnerability.
   
   For example:

   "..%255c..%255cwinnt/system32/cmd.exe"
   will be converted into 
   "..%5c..%5cwinnt/system32/cmd.exe"
   after the first decoding. Thus the request can bypass the security 
   check.

   But
   "..%255c../winnt/system32/cmd.exe"
   will be converted into 
   "..%5c../winnt/system32/cmd.exe"
   after the first decoding. Thus the attack fails since the decoded 
   name contains  './'.



---Original Message---
From : Roelof <roelofat_private>
Date : Wed, 4 Jul 2001 13:43:21 +0200 (SAST)

> Hi all.
> 
> Strange thing with double decode problem on IIS. Refer:
> http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
> 
> Most scanners (including the Nessus plugin) checks for the problem using
> the following string:
> 
> /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir
> 
> replace directory with an executable directory, and replace %255c with any
> combination of the double encoded string. It seems to work
> fine (I have seen this as the only vulnerability on a box and 
> the scanner picks it up nicely) However...I have found two boxes (one
> IISv4 and one IISv5) where it does not work...the weird thing is this -
> the following string:
> 
> /directory/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
> 
> DOES work. The only difference is the ../ in front of
> /winnt/system32/blah.
> 
> A note - if you are using a scanner that only checks for the first string
> - please update - your site might be vulnerable. Arirang scanner does this
> check properly. 
> 
> Why is this so? Are there two different problems here? Any comments?
> 
> Regards,
> Roelof.
> 
> 
> 



 
Regards,
warning3 <warning3at_private>
http://www.nsfocus.com

Next message: Jarno Huuskonen: "php / phplib session-id generation"
Previous message: H D Moore: "Re: double decode: to slash or not to slash."
In reply to: Roelof: "double decode: to slash or not to slash."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 19:34:17 PDT