Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: iis 5 %00 null weirdness

From: <securityfocus () poulsennet com>
Date: Mon, 16 Feb 2004 07:14:46 -0700
This is an "old" vulnerability adressed in KB832894. The description and patch can be found on
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-004.asp

Kind Regards


Michael Poulsen, CISSP

----- Original Message -----
From: Chris Katscher
To:  vuln-dev () securityfocus com
Sent: 11 Feb 2004 21:17:33 -0000
Subject: Re: iis 5 %00 null weirdness

In-Reply-To: <web-23498678 () gator darkhorse com>

I have no idea what is going on with this "vulnerability" but I can't find anything about it on
Microsoft's site.  They either don't know about it or are trying to keep it quiet.  I will say
this, scammers REALLY know about it.  I have gotten two scam emails in the past few weeks using
this vulnerability.



Here:

From: "Flightiest G. Lever" <support () yahoo-services com>   

Date: Sun, 25 Jan 2004 12:51:36 -0500 

Subject: Important Information Regarding Your Account cO3VRQmN 



The email looks very professional, in fact it fooled me into thinking it was an actual yahoo site
that might have gotten r00ted by a scammer, and tries to get me to click on the link:



http://wallet.yahoo.com%00@211.174.60.96/manual/images/





Here is another example:

From: "_Yahoo*" <herb () zipolite com>

Date: Sat, 07 Feb 2004 14:27:37 -0500 

Subject: _Your _Yahoo user id (spatch3 () yahoo com) 



This is a very unprofessional email and tries to get you to click on the link:



http://Spatch.yahoo.com%00@%75%68%6b%72%6539%65%64%2e%44%61%2e%52%75/%3f%708%510%78



Which I have decoded the domain to be:



uhkre39ed.Da.Ru/?p8Q0x



I have already sent complaint emails about these scams to the proper domain registrars, however
what really bothers me, is that IE is vulnerable to this type of human trickery.  Even _I_ was
fooled when I first saw it, and I don't fool easily.  It wasn't until I copied the URL and then
pasted it into notepad and then clicked on it in Netscape that I saw where the URL was really
re-directing me to.  Since this kind of hidden URL exploit doesn't work in Netscape 6.2 I'll
definitely call it an IE 5.5 bug.



BTW:  the characters before the @ must be:

hex:  01 25 30 30

which looks like:

%00



Hope this helps!

Chris Katscher






Received: (qmail 20836 invoked from network); 12 Dec 2003 19:11:13 -0000



Received: from outgoing3.securityfocus.com (205.206.231.27)



 by mail.securityfocus.com with SMTP; 12 Dec 2003 19:11:13 -0000



Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])



      by outgoing3.securityfocus.com (Postfix) with QMQP



      id 85611A30BD; Fri, 12 Dec 2003 12:20:36 -0700 (MST)



Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm



Precedence: bulk



List-Id: <vuln-dev.list-id.securityfocus.com>



List-Post: <mailto:vuln-dev () securityfocus com>



List-Help: <mailto:vuln-dev-help () securityfocus com>



List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com>



List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com>



Delivered-To: mailing list vuln-dev () securityfocus com



Delivered-To: moderator for vuln-dev () securityfocus com



Received: (qmail 32164 invoked from network); 11 Dec 2003 19:30:05 -0000



From: "wirepair" <wirepair () roguemail net>



Subject: iis 5 %00 null weirdness



To: vuln-dev () securityfocus com



X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8



Date: Thu, 11 Dec 2003 11:15:38 -0800



Message-ID: <web-23498678 () gator darkhorse com>



MIME-Version: 1.0



Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"



Content-Transfer-Encoding: 8bit







lo all,



While playing with IIS I was messing around with the old school webhits vuln, i tried injecting

some null characters to see


how it would respond. To my surprise I all of a sudden got the web page I requested, (not the

source just the page). But


the images were all broken, this obviously piqued my interested so i viewed the info of the page.



When requesting an asp page (or aspx), such as



http://iisserver/iisstart.asp%00/%00/%00/



you'll notice the image file now contains the path:



http://iisserver/iisstart.asp%00/%00/%00/pagerror.gif



Any link from the asp page requested will have the null bytes injected into its path. 



It isn't just nulls either you can basicalyl (after the first one) inject any string:



http://iisserver/iisstart.asp%00/%2e%2e/



Shows the broken image as having the path:



http://iisserver/iisstart.asp%00/%2e%2e/pagerror.gif



Now i assume this isn't normal behaviour but my questions are:



A. Why is this happening?



and 



B. Is there anyway we can take advantage of this?







I tried the obvious stuff like movign the pagerror.gif outside the webroot, and it still showed up



as a broken image so i assume the %00 is causing the %2e%2e to not *actually* break the web root.



Any thoughts folks?



-wire







Everyone has a plan until they get hit.



--



Visit Things From Another World for the best



comics, movies, toys, collectibles and more.



http://www.tfaw.com/?qt=wmf
Previous By Date Next
Previous By Thread Next

Current thread: