Security Incidents mailing list archives
RE: Unicode Attack
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Thu, 14 Nov 2002 18:19:59 -0500
Looking for some enlightenment. Comments and question inline. Information Security wrote Wednesday, November 13, 2002 1:27 PM
2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET /scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321 31 HTTP/1.1 63.241.137.233 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -
It's been my experience that the actual URL probably sent to your server
was
/scripts/..%255c../..%255c../..%255cwinnt/system32/cmd.exe?/c+dir. If you type that into your browser, you'll probably have success.
This fits my experience exactly. The attack performed from a browser or script uses %255c.. but Snort always logs it as %5c.
You would see this entry on any proxy device in front of the web server. IIS and Snort (IMHO) appropriately run a single URL decode on the request, which pretty much follows URI RFC specs, so that's not really a
bug. Are you saying that Snort has performed one level of Unicode translation before it creates its hex-level packet dumps? This seems to fit the output, but it contradicts the expectation that Snort is displaying exactly what was on the wire in hex format. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unicode Attack Jeremy Junginger (Nov 13)
- Re: Unicode Attack Daniel Polombo (Nov 13)
- Re: Unicode Attack Nick FitzGerald (Nov 14)
- <Possible follow-ups>
- RE: Unicode Attack Information Security (Nov 14)
- RE: Unicode Attack James C Slora Jr (Nov 14)
- RE: Unicode Attack Palmer, Justin (Nov 14)
- RE: Unicode Attack Information Security (Nov 15)