Re: [PEN-TEST] ISS not detecting unicode bug??

[Eric Budke <budke () BUDKE COM>]

Not having IIS 6.1 to test with or anything, but I would guess that in the
rush to get a new vulnerability in, and using something of an 80-20 rule,
IIS is only checking one or two directories when attempting to use the
unicode hack. The popular bug is using the /scripts directory. If that
isn't there or isn't executable, the check will probably come back that the
server is not vulnerable. However, your /cgi-bin, /msadc, or other
executable directories with the proper arguments are likely still vulnerable.

There was some discussion a year or two ago on another list with the guys
from ISS and NAI (and some others) going back and forth about how they
actually test, the merits of basing it only off of a banner vs. going
through with the actual penetration (especially in how it applies to DOS
testing). Both ways have their merits, but neither tool is flawless.

At 06:06 PM 11/15/00 -0500, you wrote:
> I am trying to use ISS v6.1 with the latest vulnerability update (downloaded
> yesterday) which includes a check for the following:
>
> IIS UNICODE translation error allows remote command execution
> Risk Level:   High Check or Attack Name: IisUnicodeTranslation
>
> I had to explicitly modify the L5 NT/IIS policy to check for this vuln. and
> I can see that it was checked for in the scan history, however it did not
> reveal the presence of the hole.
>
> The problem is, the hole exists and it didn't detect it. I feel that either
> I am doing something wrong, or the software isn't working properly. I am
> concerned that using this tool to perform scans is going to leave me
> misinformed.
>
> Comments/suggestions are appreciated...thanks!
>
>
> -----------------------------------------------
> FREE! The World's Best Email Address @email.com
> Reserve your name now at http://www.email.com

--
PGP Key can be found at http://www.budke.com/pgp/budke_budke_com.txt