Penetration Testing: [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution

["Bernard, Shawn" <Shawn.Bernard () CERIDIAN COM>]

I think the post was more along the lines of this...
If your web root (inetpub) is located on a different drive letter than your
OS is installed on the vulnerability does not work as posted. I ran into
that when I was testing some systems.
os is installed on c: --C:\WINNT
IIS web root is on d:\ -- D:\INETPUB
Now if I understand it correctly the problem is that in the example URL
http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d
ir+c:\

the ..%c1%1c.. translates into ../.. dropping you to the root of the drive
that the web root resides on.
So if your webroot is C:\INETPUB the URL calls
C:\WINNT\SYSTEM32\CMD.EXE?/C+DIR+C\     
So in your normal out of the box install it finds cmd.exe and runs an dir
command.
If your webroot is D:\INETPUB the URL calls
D:\WINNT\SYSTEM32\CMD.EXE?/C+DIR+C\     
in most cases (that I have worked with) you would not have the OS located
there so the vulnerability would not work.
> -----Original Message-----
>
> From: Michael Katz [SMTP:mike () RESPONSIBLE COM]
> Sent: Thursday, October 19, 2000 12:01 PM
> To:   PEN-TEST () SECURITYFOCUS COM
> Subject:      Re: [PEN-TEST] IIS %c1%1c remote command execution
>
> On Thursday, October 19, 2000 8:19 AM, Critical Watch Bugtraqqer wrote:
>
> >  However,
> > I haven't been able to find a use for this if the web site is on
> > a separate
> > drive.  Ok, sure if there is a sample page that allows you to
> > cruise around
> > folders and look for interesting executables, or maybe perl.exe in the
> > cgi-bin, you could use this exploit. But what else?  Any thoughts?
> You can get directory listings of any directory on any drive, including
> mapped drives, as well as read the contents of numerous files that you
> find - again, on any drive.  I have confirmed this by successfully testing
> this exploit on vulnerable servers.
>
> Michael Katz
> Responsible Solutions, Ltd.
> mike () responsible com