Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Unicode C

From: Nu Omega Tau <nu_omega_tau () ALTAVISTA COM>
Date: Wed, 14 Mar 2001 12:35:42 -0800
===[ www.sinsecurity.net ]===

====[ Information ]======
Program Name   : Microsoft Internet Information Server (IIS)
Program Author : http://www.microsoft.com/iis
Test Versions  : 4, others not vulnerable
Advisory Author: Niels Teusink, a.k.a. Nu Omega Tau
Contact        : Nu_Omega_Tau () altavista com
=========================

This advisory was made in Holland.

Overview
========
Extended unicode is an exploit found in october 2000 by an unknown person, rfp did further research on this. Later on,
variants were found, such as using the /msadc directory instead of /scripts and user different ways of unicode encoding.
All these techniques had their pro's and con's, the /scripts method worked on both IIS4 and 5, but didn't work if the
wwwroot directory was on a different partition then the winnt directory. The /msadc method solved this as the /msadc
directory is in \program files which is usually on the same partition as the winnt dir, the msadc method though doesn't
work with IIS5.
Both of the methods still had a common flaw, the name of the winnt directory must be known for the exploit to work,
with my new method, this isn't the case. My method only works with IIS4 though.

For more information on the vulnerability, do a search in the bugtraq archives on www.securityfocus.com with the keyword
"Unicode".
RainForestPuppy's research can be found at www.wiretrip.net.

Problem Description
===================
When using the /iisadmpwd which is a subdirectory of the windows nt directory, it is not necessary to specify the 
windows
nt directory. We can just do http://target.machine/iisadmpwd/..%c0%af../cmd.exe?/c+dir
as you can see, I don't specify any directory, but get back:

 Directory of C:\WINDOWS\System32\inetsrv\iisadmpwd

01/01/00  11:11a        <DIR>          .
01/01/00  11:11a        <DIR>          ..
01/01/00  11:11p                 1,902 achg.htr
(...)

I can imagine admins scanning their network with home-made scripts for vulnerabilities and only fixing machines where 
the
vulnerabilities are found. When the installation directory is not winnt, the vulnerability wouldn't be detected but 
still
can be exploited if the machine isn't patched.

Solution
========
This is not a new problem and DOES NOT require a new patch, if you haven't applied the unicode patch yet because the
technique didn't work on your system, it may be a good idea to do so now. The patch can be found at
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23667
Altough this is not a new problem I decided to inform Microsoft of this method before posting this.

===[ Niels Teusink - Sin Security ]===

Don't deface, email!


Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com
Previous By Date Next
Previous By Thread Next

Current thread: