Penetration Testing mailing list archives

Re: [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution

From: Mordechai Ovits <movits () OVITS NET>
Date: Thu, 19 Oct 2000 16:04:20 -0400

It would allow you to get any file accessible to the user that IIS is
running as, on the Inetpub drive.  If the inetpub drive isnt the systme
drive you can't run cmd, but you can nab files.  Not the SAM though.

Mordy

On Thu, Oct 19, 2000 at 02:35:46PM -0400, Bernard, Shawn wrote:

I think the post was more along the lines of this...
If your web root (inetpub) is located on a different drive letter than your
OS is installed on the vulnerability does not work as posted. I ran into
that when I was testing some systems.
os is installed on c: --C:\WINNT
IIS web root is on d:\ -- D:\INETPUB
Now if I understand it correctly the problem is that in the example URL
http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d
ir+c:\

the ..%c1%1c.. translates into ../.. dropping you to the root of the drive
that the web root resides on.
So if your webroot is C:\INETPUB the URL calls
C:\WINNT\SYSTEM32\CMD.EXE?/C+DIR+C\   
So in your normal out of the box install it finds cmd.exe and runs an dir
command.
If your webroot is D:\INETPUB the URL calls
D:\WINNT\SYSTEM32\CMD.EXE?/C+DIR+C\   
in most cases (that I have worked with) you would not have the OS located
there so the vulnerability would not work.

-----Original Message-----

From:       Michael Katz [SMTP:mike () RESPONSIBLE COM]
Sent:       Thursday, October 19, 2000 12:01 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject:    Re: [PEN-TEST] IIS %c1%1c remote command execution

On Thursday, October 19, 2000 8:19 AM, Critical Watch Bugtraqqer wrote:

 However,
I haven't been able to find a use for this if the web site is on
a separate
drive.  Ok, sure if there is a sample page that allows you to
cruise around
folders and look for interesting executables, or maybe perl.exe in the
cgi-bin, you could use this exploit. But what else?  Any thoughts?


You can get directory listings of any directory on any drive, including
mapped drives, as well as read the contents of numerous files that you
find - again, on any drive.  I have confirmed this by successfully testing
this exploit on vulnerable servers.

Michael Katz
Responsible Solutions, Ltd.
mike () responsible com

Current thread:

[PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution Bernard, Shawn (Oct 19)
- Re: [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution Mordechai Ovits (Oct 19)
  - Re: [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution geoff (Oct 20)