double decode: to slash or not to slash.

[Roelof <roelof () sensepost com>]

Hi all.

Strange thing with double decode problem on IIS. Refer:
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

Most scanners (including the Nessus plugin) checks for the problem using
the following string:

/directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir

replace directory with an executable directory, and replace %255c with any
combination of the double encoded string. It seems to work
fine (I have seen this as the only vulnerability on a box and 
the scanner picks it up nicely) However...I have found two boxes (one
IISv4 and one IISv5) where it does not work...the weird thing is this -
the following string:

/directory/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir

DOES work. The only difference is the ../ in front of
/winnt/system32/blah.

A note - if you are using a scanner that only checks for the first string
- please update - your site might be vulnerable. Arirang scanner does this
check properly. 

Why is this so? Are there two different problems here? Any comments?

Regards,
Roelof.