Penetration Testing mailing list archives
Re: [PEN-TEST] ISS not detecting unicode bug??
From: Eric Budke <budke () BUDKE COM>
Date: Thu, 16 Nov 2000 15:53:27 -0500
Not having IIS 6.1 to test with or anything, but I would guess that in the rush to get a new vulnerability in, and using something of an 80-20 rule, IIS is only checking one or two directories when attempting to use the unicode hack. The popular bug is using the /scripts directory. If that isn't there or isn't executable, the check will probably come back that the server is not vulnerable. However, your /cgi-bin, /msadc, or other executable directories with the proper arguments are likely still vulnerable. There was some discussion a year or two ago on another list with the guys from ISS and NAI (and some others) going back and forth about how they actually test, the merits of basing it only off of a banner vs. going through with the actual penetration (especially in how it applies to DOS testing). Both ways have their merits, but neither tool is flawless. At 06:06 PM 11/15/00 -0500, you wrote:
I am trying to use ISS v6.1 with the latest vulnerability update (downloaded yesterday) which includes a check for the following: IIS UNICODE translation error allows remote command execution Risk Level: High Check or Attack Name: IisUnicodeTranslation I had to explicitly modify the L5 NT/IIS policy to check for this vuln. and I can see that it was checked for in the scan history, however it did not reveal the presence of the hole. The problem is, the hole exists and it didn't detect it. I feel that either I am doing something wrong, or the software isn't working properly. I am concerned that using this tool to perform scans is going to leave me misinformed. Comments/suggestions are appreciated...thanks! ----------------------------------------------- FREE! The World's Best Email Address @email.com Reserve your name now at http://www.email.com
-- PGP Key can be found at http://www.budke.com/pgp/budke_budke_com.txt
Current thread:
- [PEN-TEST] ISS not detecting unicode bug?? John Doe (Nov 16)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Alfred Huger (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Mark Curphey (Nov 18)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Fred Mobach (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Renaud Deraison (Nov 21)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Alfred Huger (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? batz (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Renaud Deraison (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 17)
- <Possible follow-ups>
- Re: [PEN-TEST] ISS not detecting unicode bug?? Covington, James (ISS California) (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Claudio Pino (Nov 17)