Security Incidents mailing list archives
Re: Unicode Attack
From: Daniel Polombo <polombo () cartel-securite fr>
Date: 13 Nov 2002 20:27:41 +0100
Le mer 13/11/2002 à 15:51, Jeremy Junginger a écrit :
Web log entries: 2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET /scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
Mmh, here you have a "normal" cmd.exe request : system32/cmd.exe
INTERESTING NOTE: The web logs indicate that the URL Requested was (correct me if I'm wrong) http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir (possibly with a c:\ at the end). When running this URL against the server, it produces a 404 error on the server rather than listing the drive contents.
And here you have system32.cmd.exe, which unsurprisingly produces a 404. What *is* surprising is that the webserver logs don't show the actual path.
3) Since there are few (if any) thorough Unicode scanners, is it possible to write a perl script that could check for all possible Unicode variants on a given web server to test the effectiveness of the URLSCAN and IISLOCKDOWN utilities (pre-change/post-change pen-test)? I have some "shell" programs like uni.pl, but am a little confused about how to generate all of the possible combinations.
Unfortunately, you have to try and generate a list of possible combinations all by yourself : - there are a number of possibilities to build a '/' or '\' using the unicode double decode thingie IIS is so proud of (must be, or they'd have removed it long ago). Learn more about them here : http://www.wiretrip.net/rfp/p/doc.asp/i7/d57.htm - there are countless possibilities to build a path going to cmd.exe. Most of them should begin with a folder in your webroot from which the webserver is able to execute scripts (ie, /scripts, /_vti_bin, and so on). Assuming you wish to generate such a list yourself, IIS shell (yet another unicode exploit) uses a plain text file as a list of paths to check for on the server. Find it here : http://www.cartel-securite.net/res/iisshell-1.3.tgz Hope this helps, Daniel
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unicode Attack Jeremy Junginger (Nov 13)
- Re: Unicode Attack Daniel Polombo (Nov 13)
- Re: Unicode Attack Nick FitzGerald (Nov 14)
- <Possible follow-ups>
- RE: Unicode Attack Information Security (Nov 14)
- RE: Unicode Attack James C Slora Jr (Nov 14)
- RE: Unicode Attack Palmer, Justin (Nov 14)
- RE: Unicode Attack Information Security (Nov 15)