Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: double decode: to slash or not to slash.

From: warning3 <warning3 () nsfocus com>
Date: Thu, 05 Jul 2001 08:53:55 +0800
Hi

Maybe the target system has installed patch from MS00-078(MS00-057).

Following words are from NSFOCUS's explanation :

2. Will systems with patch provided by MS00-078(MS00-057) be affected?

   MS00-078 and MS00-057 provide the same patch, which will perform a
   check of filename for ".\" and "./" after the first decoding. In case
   that such characters exist, request would be denied. Thus, it only 
   casually addresses UNICODE vulnerability. By covering "./" or ".\" after 
   the first decoding, an attacker can still successfully make use of 
   "Decoding error" vulnerability.
   
   For example:

   "..%255c..%255cwinnt/system32/cmd.exe"
   will be converted into 
   "..%5c..%5cwinnt/system32/cmd.exe"
   after the first decoding. Thus the request can bypass the security 
   check.

   But
   "..%255c../winnt/system32/cmd.exe"
   will be converted into 
   "..%5c../winnt/system32/cmd.exe"
   after the first decoding. Thus the attack fails since the decoded 
   name contains  './'.



---Original Message---
From : Roelof <roelof () sensepost com>
Date : Wed, 4 Jul 2001 13:43:21 +0200 (SAST)


Hi all.

Strange thing with double decode problem on IIS. Refer:
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

Most scanners (including the Nessus plugin) checks for the problem using
the following string:

/directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir

replace directory with an executable directory, and replace %255c with any
combination of the double encoded string. It seems to work
fine (I have seen this as the only vulnerability on a box and 
the scanner picks it up nicely) However...I have found two boxes (one
IISv4 and one IISv5) where it does not work...the weird thing is this -
the following string:

/directory/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir

DOES work. The only difference is the ../ in front of
/winnt/system32/blah.

A note - if you are using a scanner that only checks for the first string
- please update - your site might be vulnerable. Arirang scanner does this
check properly. 

Why is this so? Are there two different problems here? Any comments?

Regards,
Roelof.







 
Regards,
warning3 <warning3 () nsfocus com>
http://www.nsfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: