I found this quite interesting. However do to time restraints I didn't have long to sit here and play tonight :(. My test's were done using IIS 5.0 with service pack 2 and up to date with all hot fixes that pertain to it. In my test's I found that sending the % followed by any number and then any character will result the strange event logs. I.e.: '%11' works just the same as '%1p' or '%9b' etc... But with that it will yield 2 event logs. (This does leave normal traces behind in the IIS logs, so it's not untraceable). I haven't been able to get any similar results using anything other than '%' + num + any_char combinations. But like I said all '%' + num + any_char combinations worked. [Event Log 1 of 2 with %11] Date: 5/28/2002 Time: 21:36 Type: Failure User: NT AUTHORITY\SYSTEM Computer: SERVER Source: Security Category: Logon/Logoff Event ID: 529 Description: Reason: Unknown user name or password User Name: %11 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 [Event Log 2 of 2 with %11] Date: 5/28/2002 Time: 21:36 Type: Failure User: NT AUTHORITY\SYSTEM Computer: SERVER Source: Security Category: Account Logon Event ID: 681 Description: The logon to account: %11 by: %1 from workstation: %3 failed. The error code was: %4 But what I found even more interesting is when we fill our username box in the authentication dialog. By sending '%1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' as our username we get much different results as seen below. In the second event log under the User Name: there was, in the event log, a %1 followed by 25,600 a's. But for the sake of everyone else I shortened it :). [Event Log 1 of 2 when filling the username box in the authentication dialog] Date: 5/28/2002 Time: 21:45 Type: Success User: SERVER\Administrator Computer: SERVER Source: Security Category: Privilege Use Event ID: 578 Description: Privileged object operation: Object Server: EventLog Object Handle: 0 Process ID: 248 Primary User Name: SERVER$ Primary Domain: WORKGROUP Primary Logon ID: (0x0,0x3E7) Client User Name: Administrator Client Domain: SERVER Client Login ID: (0x0,0xBDB5) Privileges: SeSecurityPrivilege [Event Log 2 of 2 when filling the username box in the authentication dialog] Date: 5/28/2002 Time: 21:45 Type: Failure User: NT AUTHORITY\SYSTEM Computer: SERVER Source: Security Category: Logon/Logoff Event ID: 537 Description: Logon Failure: Reason: An unexpected error occurred during logon User Name: %1(a * 25,600) Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Like I said earlier I havn't really had time to play with this at all. If anyone else finds anything interesting post to the list cause I would definatly like to know :). Hopefully tommarow will allow more to for play, hehe. ZeroBreak (ZeroBreakat_private) or (ZeroBreakat_private) -----Original Message----- From: rootat_private [mailto:rootat_private] Sent: Monday, May 27, 2002 4:37 PM To: vuln-devat_private Subject: Microsoft IIS - Possible authentication flaw? Greetings, I was playing around with Microsoft IIS 5.1 when I noticed something very weird. If you go to a directory which has basic authentication enabled, and enter the string: %1p as the login, it will put this into the event logs under the system subsection: Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 14/05/2002 Time: 2:21:35 PM User: N/A Computer: WINDOWS Description: The server was unable to logon the Windows NT account '% 1ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppp' due to the following error: %2 The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... (Note: The p after %1 can be any character it seems. I just used %1p as my example.) --- If you enter the string: %2 as the login, it will also put this into the event logs under the system sub section: Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 14/05/2002 Time: 2:24:20 PM User: N/A Computer: WINDOWS Description: The server was unable to logon the Windows NT account 'Logon failure: unknown user name or bad password. ' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... -- If you repeat %2, or %1p it will produce longer entries in the event logs, depending on how many times you wish to repeat it. I've been playing with this for a while now, and it only appears that %2 and %1 (followed by a character) will cause these weird entries in the event logs. I tested this on Windows XP Pro with all updates and patches, running IIS 5.1. Georgi Guninski confirmed that this format strings "flaw" is present in Windows 2000 with IIS 5.0, as well as the Microsoft FTP service. I've given up on playing around with this "flaw", so I'm posting it to vuln-dev to let other people have a chance and see what else can be found. Cheers, 0x00
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 02:39:24 PDT