Vulnerability Development mailing list archives
Re: double decode: to slash or not to slash.
From: warning3 <warning3 () nsfocus com>
Date: Thu, 05 Jul 2001 08:53:55 +0800
Hi Maybe the target system has installed patch from MS00-078(MS00-057). Following words are from NSFOCUS's explanation : 2. Will systems with patch provided by MS00-078(MS00-057) be affected? MS00-078 and MS00-057 provide the same patch, which will perform a check of filename for ".\" and "./" after the first decoding. In case that such characters exist, request would be denied. Thus, it only casually addresses UNICODE vulnerability. By covering "./" or ".\" after the first decoding, an attacker can still successfully make use of "Decoding error" vulnerability. For example: "..%255c..%255cwinnt/system32/cmd.exe" will be converted into "..%5c..%5cwinnt/system32/cmd.exe" after the first decoding. Thus the request can bypass the security check. But "..%255c../winnt/system32/cmd.exe" will be converted into "..%5c../winnt/system32/cmd.exe" after the first decoding. Thus the attack fails since the decoded name contains './'. ---Original Message--- From : Roelof <roelof () sensepost com> Date : Wed, 4 Jul 2001 13:43:21 +0200 (SAST)
Hi all. Strange thing with double decode problem on IIS. Refer: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Most scanners (including the Nessus plugin) checks for the problem using the following string: /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir replace directory with an executable directory, and replace %255c with any combination of the double encoded string. It seems to work fine (I have seen this as the only vulnerability on a box and the scanner picks it up nicely) However...I have found two boxes (one IISv4 and one IISv5) where it does not work...the weird thing is this - the following string: /directory/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir DOES work. The only difference is the ../ in front of /winnt/system32/blah. A note - if you are using a scanner that only checks for the first string - please update - your site might be vulnerable. Arirang scanner does this check properly. Why is this so? Are there two different problems here? Any comments? Regards, Roelof.
Regards, warning3 <warning3 () nsfocus com> http://www.nsfocus.com
Current thread:
- double decode: to slash or not to slash. Roelof (Jul 04)
- Re: double decode: to slash or not to slash. H D Moore (Jul 04)
- Re: double decode: to slash or not to slash. warning3 (Jul 04)