Vulnerability Development mailing list archives
Re: iis 5 %00 null weirdness
From: Chris Katscher <spatch3 () yahoo com>
Date: 11 Feb 2004 21:17:33 -0000
In-Reply-To: <web-23498678 () gator darkhorse com> I have no idea what is going on with this "vulnerability" but I can't find anything about it on Microsoft's site. They either don't know about it or are trying to keep it quiet. I will say this, scammers REALLY know about it. I have gotten two scam emails in the past few weeks using this vulnerability. Here: From: "Flightiest G. Lever" <support () yahoo-services com> Date: Sun, 25 Jan 2004 12:51:36 -0500 Subject: Important Information Regarding Your Account cO3VRQmN The email looks very professional, in fact it fooled me into thinking it was an actual yahoo site that might have gotten r00ted by a scammer, and tries to get me to click on the link: http://wallet.yahoo.com%00@211.174.60.96/manual/images/ Here is another example: From: "_Yahoo*" <herb () zipolite com> Date: Sat, 07 Feb 2004 14:27:37 -0500 Subject: _Your _Yahoo user id (spatch3 () yahoo com) This is a very unprofessional email and tries to get you to click on the link: http://Spatch.yahoo.com%00@%75%68%6b%72%6539%65%64%2e%44%61%2e%52%75/%3f%708%510%78 Which I have decoded the domain to be: uhkre39ed.Da.Ru/?p8Q0x I have already sent complaint emails about these scams to the proper domain registrars, however what really bothers me, is that IE is vulnerable to this type of human trickery. Even _I_ was fooled when I first saw it, and I don't fool easily. It wasn't until I copied the URL and then pasted it into notepad and then clicked on it in Netscape that I saw where the URL was really re-directing me to. Since this kind of hidden URL exploit doesn't work in Netscape 6.2 I'll definitely call it an IE 5.5 bug. BTW: the characters before the @ must be: hex: 01 25 30 30 which looks like: %00 Hope this helps! Chris Katscher
Received: (qmail 20836 invoked from network); 12 Dec 2003 19:11:13 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 12 Dec 2003 19:11:13 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id 85611A30BD; Fri, 12 Dec 2003 12:20:36 -0700 (MST) Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <vuln-dev.list-id.securityfocus.com> List-Post: <mailto:vuln-dev () securityfocus com> List-Help: <mailto:vuln-dev-help () securityfocus com> List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com> List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com> Delivered-To: mailing list vuln-dev () securityfocus com Delivered-To: moderator for vuln-dev () securityfocus com Received: (qmail 32164 invoked from network); 11 Dec 2003 19:30:05 -0000 From: "wirepair" <wirepair () roguemail net> Subject: iis 5 %00 null weirdness To: vuln-dev () securityfocus com X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8 Date: Thu, 11 Dec 2003 11:15:38 -0800 Message-ID: <web-23498678 () gator darkhorse com> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; format="flowed" Content-Transfer-Encoding: 8bit lo all, While playing with IIS I was messing around with the old school webhits vuln, i tried injecting some null characters to see how it would respond. To my surprise I all of a sudden got the web page I requested, (not the source just the page). But the images were all broken, this obviously piqued my interested so i viewed the info of the page. When requesting an asp page (or aspx), such as http://iisserver/iisstart.asp%00/%00/%00/ you'll notice the image file now contains the path: http://iisserver/iisstart.asp%00/%00/%00/pagerror.gif Any link from the asp page requested will have the null bytes injected into its path. It isn't just nulls either you can basicalyl (after the first one) inject any string: http://iisserver/iisstart.asp%00/%2e%2e/ Shows the broken image as having the path: http://iisserver/iisstart.asp%00/%2e%2e/pagerror.gif Now i assume this isn't normal behaviour but my questions are: A. Why is this happening? and B. Is there anyway we can take advantage of this? I tried the obvious stuff like movign the pagerror.gif outside the webroot, and it still showed up as a broken image so i assume the %00 is causing the %2e%2e to not *actually* break the web root. Any thoughts folks? -wire Everyone has a plan until they get hit. -- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
Current thread:
- Re: iis 5 %00 null weirdness Chris Katscher (Feb 15)
- <Possible follow-ups>
- Re: iis 5 %00 null weirdness securityfocus (Feb 16)
- Re: iis 5 %00 null weirdness Chris Katscher (Feb 16)