Bugtraq mailing list archives
RE: Tests about semicolon zero-day (BID 37460)
From: "Nelson Brito" <nbrito () sekure org>
Date: Tue, 29 Dec 2009 19:03:59 -0200
Okay, here is a good question after read the updated version of HD Moore Blog post [1]: (btw, that is the same question we are talking in twitter) - Based on the blog post "Results of Investigation into Holyday ISS Claim" (MSRC) [2], there is no vulnerability related to this case, right? BUT... If a user has a weak password, a guessable password, you can GUESS the user's password and get the user's access... Getting all the privileges he/she has. Okay, I know that there are a lot of best practices floating around, describing many, many ways to enforce the users to create a strong password instead... But according to my experience in pen-tests, the easiest way to get a system access is guessing users' passwords. RIGHT? In a dynamic WWW, things change and "'write' and 'execute' privileges on the same directory" (QUOTED) [2] is not a "IMPOSSIBLE AND UNBELIEVABLE" thing. "If the weather is good, the waves are good... Let's surfing!" So I think they should change the term "not a vulnerability" to "vulnerabilistic feature"... I know that this word does not exist, anyway. =) PS: Don't send me any flame if you didn't check the "vulnerability" [3] definition. [1] http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.html [2] http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-h oliday-iis-claim.aspx [3] http://en.wikipedia.org/wiki/Vulnerability_(computing) /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito <nbrito [at] sekure [dot] org> Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */
-----Original Message----- From: Crash - DcLabs [mailto:crashbrz () gmail com] Sent: Monday, December 28, 2009 8:28 PM To: bugtraq () securityfocus com Subject: Tests about semicolon zero-day (BID 37460) Tests about semicolon zero-day (BID 37460) Tests in Windows XP SP3 and IIS 5.1 The results are: 18:21:18 172.16.5.79 GET /t.asp;.jpg 200 The file founded, but not interpreted! IIS print the asp souce code at screen. Testing in 2003 Server IIS 6.0 SP 2 works perfect! the .jpg is interpreted as .asp 2009-12-28 18:56:37 W3SVC1 172.16.5.79 GET /t.asp;.jpg - 80 - 172.16.6.16 Mozilla/4.0+(compatible;+MSIE+ 8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.N ET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.0.4506.2152;+.NET+C LR+3.5.30729) 200 0 0 Testing in 2008 Server IIS 7.0 SP1 Return same Windows XP, source code printed at screen. ------------------- Crash DcLabs
Current thread:
- Tests about semicolon zero-day (BID 37460) Crash - DcLabs (Dec 29)
- RE: Tests about semicolon zero-day (BID 37460) Nelson Brito (Dec 29)
- RE: Tests about semicolon zero-day (BID 37460) Nelson Brito (Dec 30)
- <Possible follow-ups>
- Re: RE: Tests about semicolon zero-day (BID 37460) crashbrz (Dec 30)