Penetration Testing mailing list archives
[PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution
From: "Bernard, Shawn" <Shawn.Bernard () CERIDIAN COM>
Date: Thu, 19 Oct 2000 14:35:46 -0400
I think the post was more along the lines of this... If your web root (inetpub) is located on a different drive letter than your OS is installed on the vulnerability does not work as posted. I ran into that when I was testing some systems. os is installed on c: --C:\WINNT IIS web root is on d:\ -- D:\INETPUB Now if I understand it correctly the problem is that in the example URL http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d ir+c:\ the ..%c1%1c.. translates into ../.. dropping you to the root of the drive that the web root resides on. So if your webroot is C:\INETPUB the URL calls C:\WINNT\SYSTEM32\CMD.EXE?/C+DIR+C\ So in your normal out of the box install it finds cmd.exe and runs an dir command. If your webroot is D:\INETPUB the URL calls D:\WINNT\SYSTEM32\CMD.EXE?/C+DIR+C\ in most cases (that I have worked with) you would not have the OS located there so the vulnerability would not work.
-----Original Message----- From: Michael Katz [SMTP:mike () RESPONSIBLE COM] Sent: Thursday, October 19, 2000 12:01 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] IIS %c1%1c remote command execution On Thursday, October 19, 2000 8:19 AM, Critical Watch Bugtraqqer wrote:However, I haven't been able to find a use for this if the web site is on a separate drive. Ok, sure if there is a sample page that allows you to cruise around folders and look for interesting executables, or maybe perl.exe in the cgi-bin, you could use this exploit. But what else? Any thoughts?You can get directory listings of any directory on any drive, including mapped drives, as well as read the contents of numerous files that you find - again, on any drive. I have confirmed this by successfully testing this exploit on vulnerable servers. Michael Katz Responsible Solutions, Ltd. mike () responsible com
Current thread:
- [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution Bernard, Shawn (Oct 19)
- Re: [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution Mordechai Ovits (Oct 19)