Vulnerability Development mailing list archives

Re: iis 5 %00 null weirdness

From: Chris Katscher <spatch3 () yahoo com>
Date: 11 Feb 2004 21:17:33 -0000

In-Reply-To: <web-23498678 () gator darkhorse com>

I have no idea what is going on with this "vulnerability" but I can't find anything about it on Microsoft's site.  They 
either don't know about it or are trying to keep it quiet.  I will say this, scammers REALLY know about it.  I have 
gotten two scam emails in the past few weeks using this vulnerability.

Here:
From: "Flightiest G. Lever" <support () yahoo-services com>   
Date: Sun, 25 Jan 2004 12:51:36 -0500 
Subject: Important Information Regarding Your Account cO3VRQmN 

The email looks very professional, in fact it fooled me into thinking it was an actual yahoo site that might have 
gotten r00ted by a scammer, and tries to get me to click on the link:

http://wallet.yahoo.com%00@211.174.60.96/manual/images/

Here is another example:
From: "_Yahoo*" <herb () zipolite com>
Date: Sat, 07 Feb 2004 14:27:37 -0500 
Subject: _Your _Yahoo user id (spatch3 () yahoo com) 

This is a very unprofessional email and tries to get you to click on the link:

http://Spatch.yahoo.com%00@%75%68%6b%72%6539%65%64%2e%44%61%2e%52%75/%3f%708%510%78

Which I have decoded the domain to be:

uhkre39ed.Da.Ru/?p8Q0x

I have already sent complaint emails about these scams to the proper domain registrars, however what really bothers me, 
is that IE is vulnerable to this type of human trickery.  Even _I_ was fooled when I first saw it, and I don't fool 
easily.  It wasn't until I copied the URL and then pasted it into notepad and then clicked on it in Netscape that I saw 
where the URL was really re-directing me to.  Since this kind of hidden URL exploit doesn't work in Netscape 6.2 I'll 
definitely call it an IE 5.5 bug.

BTW:  the characters before the @ must be:
hex:  01 25 30 30
which looks like:
%00

Hope this helps!
Chris Katscher

Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
Precedence: bulk
From: "wirepair" <wirepair () roguemail net>
Subject: iis 5 %00 null weirdness
To: vuln-dev () securityfocus com
Date: Thu, 11 Dec 2003 11:15:38 -0800
Message-ID: <web-23498678 () gator darkhorse com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit

lo all,
While playing with IIS I was messing around with the old school webhits vuln, i tried injecting some null characters 
to see
how it would respond. To my surprise I all of a sudden got the web page I requested, (not the source just the page). 
But
the images were all broken, this obviously piqued my interested so i viewed the info of the page.
When requesting an asp page (or aspx), such as
http://iisserver/iisstart.asp%00/%00/%00/
you'll notice the image file now contains the path:
http://iisserver/iisstart.asp%00/%00/%00/pagerror.gif
Any link from the asp page requested will have the null bytes injected into its path. 
It isn't just nulls either you can basicalyl (after the first one) inject any string:
http://iisserver/iisstart.asp%00/%2e%2e/
Shows the broken image as having the path:
http://iisserver/iisstart.asp%00/%2e%2e/pagerror.gif
Now i assume this isn't normal behaviour but my questions are:
A. Why is this happening?
and 
B. Is there anyway we can take advantage of this?

I tried the obvious stuff like movign the pagerror.gif outside the webroot, and it still showed up
as a broken image so i assume the %00 is causing the %2e%2e to not *actually* break the web root.
Any thoughts folks?
-wire

Everyone has a plan until they get hit.
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

Current thread:

Re: iis 5 %00 null weirdness Chris Katscher (Feb 15)
- <Possible follow-ups>
- Re: iis 5 %00 null weirdness securityfocus (Feb 16)
- Re: iis 5 %00 null weirdness Chris Katscher (Feb 16)