Bugtraq: Re: IIS %c1%1c remote command execution

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: IIS %c1%1c remote command execution

From: rain forest puppy <rfp () WIRETRIP NET>
Date: Wed, 18 Oct 2000 18:23:45 -0500

This is one of the vulnerabilities Bruce Schneier warned of in one of
the past CRYPTO-GRAM isssues.  The problem isn't the wrong time of
path checking alone, but as well a poorly implemented UTF-8 decoder.
RFC 2279 explicitly says that overlong sequences such as 0xC0 0xAF are
invalid.


Yep, I agree, and that's because...

Markus Kuhn's UTF-8 stress test file contains some tests covering such
problems.  It's available at:
        http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt


Markus' FAQ is what helped me to understand what's going on.  It
definately is a good writeup.

I also reviewed a writeup located at:

        http://czyborra.com/utf/

As equally informative.

As UTF support creeps into various places, this may become a more
prominent problem.  I already forsee uses in virus scanner and IDS
evasion.

- rfp

By Date By Thread

Current thread:

IIS %c1%1c remote command execution rain forest puppy (Oct 17)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)
  - Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
    - [LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution ET LoWNOISE (Oct 20)
- <Possible follow-ups>
- Re: IIS %c1%1c remote command execution Nsfocus Security Team (Oct 18)
- Re: IIS %c1%1c remote command execution Cris Bailiff (Oct 19)