('binary' encoding is not supported, stored as-is) Greetings, I was playing around with Microsoft IIS 5.1 when I noticed something very weird. If you go to a directory which has basic authentication enabled, and enter the string: %1p as the login, it will put this into the event logs under the system subsection: Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 14/05/2002 Time: 2:21:35 PM User: N/A Computer: WINDOWS Description: The server was unable to logon the Windows NT account '% 1ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppp' due to the following error: %2 The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... (Note: The p after %1 can be any character it seems. I just used %1p as my example.) --- If you enter the string: %2 as the login, it will also put this into the event logs under the system sub section: Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 14/05/2002 Time: 2:24:20 PM User: N/A Computer: WINDOWS Description: The server was unable to logon the Windows NT account 'Logon failure: unknown user name or bad password. ' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... -- If you repeat %2, or %1p it will produce longer entries in the event logs, depending on how many times you wish to repeat it. I've been playing with this for a while now, and it only appears that %2 and %1 (followed by a character) will cause these weird entries in the event logs. I tested this on Windows XP Pro with all updates and patches, running IIS 5.1. Georgi Guninski confirmed that this format strings "flaw" is present in Windows 2000 with IIS 5.0, as well as the Microsoft FTP service. I've given up on playing around with this "flaw", so I'm posting it to vuln-dev to let other people have a chance and see what else can be found. Cheers, 0x00
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 09:13:14 PDT