Vulnerability Development mailing list archives

Re: iis 5 %00 null weirdness

From: Chris Katscher <spatch3 () yahoo com>
Date: 16 Feb 2004 17:35:09 -0000

In-Reply-To: <20040211211733.32589.qmail () www securityfocus com>

Well as a post script to this issue, I have verified that the newest IE 5.5 SP 2 security update available from 
Microsoft fixes this issue.  I confirmed that this patch even works on a Windows 95 system if you install it manually.

Here is the link:

MS04-004: Cumulative Security Update for Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;832894

and here:

Technet Microsoft Security Bulletin MS04-004
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Bulletin/MS04-004.asp

released on 2-2-2004.

I remvoed the example exploits from my email since I got a bunch of anti-virus bounces.

Heh, I got my most recent scam atack today:

From: "Wavelet S. Board" <support () yahoo-accounts com>
Subject: Information From Support Regarding Your Account oOuUPJQWEQ 
Date: Mon, 16 Feb 2004 05:22:46 -0500 

Same professional looking email, tryign to get me to click on the link:

http://wallet.yahoo.com () mihyun-home com/ttboard/temp/

This works now, so get your fix of a scam database while it is too late!!!

Thanks!
Chris

PS:  Tomorrow, i'll let the domain registrars of this site know they have a scam they need to shut down.

Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
Precedence: bulk
Date: 11 Feb 2004 21:17:33 -0000
Message-ID: <20040211211733.32589.qmail () www securityfocus com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Chris Katscher <spatch3 () yahoo com>
To: vuln-dev () securityfocus com
Subject: Re: iis 5 %00 null weirdness

In-Reply-To: <web-23498678 () gator darkhorse com>

I have no idea what is going on with this "vulnerability" but I can't find anything about it on Microsoft's site.  
They either don't know about it or are trying to keep it quiet.  I will say this, scammers REALLY know about it.  I 
have gotten two scam emails in the past few weeks using this vulnerability.

Here:
From: "Flightiest G. Lever" <support () yahoo-services com>   
Date: Sun, 25 Jan 2004 12:51:36 -0500 
Subject: Important Information Regarding Your Account cO3VRQmN 

The email looks very professional, in fact it fooled me into thinking it was an actual yahoo site that might have 
gotten r00ted by a scammer, and tries to get me to click on the link:

http://wallet.yahoo.com@211.174.60.96/manual/images/

Here is another example:
From: "_Yahoo*" <herb () zipolite com>
Date: Sat, 07 Feb 2004 14:27:37 -0500 
Subject: _Your _Yahoo user id (spatch3 () yahoo com) 

This is a very unprofessional email and tries to get you to click on the link:

http://Spatch.yahoo.com@%75%68%6b%72%6539%65%64%2e%44%61%2e%52%75/%3f%708%510%78

Which I have decoded the domain to be:

uhkre39ed.Da.Ru/?p8Q0x

I have already sent complaint emails about these scams to the proper domain registrars, however what really bothers 
me, is that IE is vulnerable to this type of human trickery.  Even _I_ was fooled when I first saw it, and I don't 
fool easily.  It wasn't until I copied the URL and then pasted it into notepad and then clicked on it in Netscape that 
I saw where the URL was really re-directing me to.  Since this kind of hidden URL exploit doesn't work in Netscape 6.2 
I'll definitely call it an IE 5.5 bug.

BTW:  the characters before the @ must be:
hex:  01 25 30 30
which looks like:

Hope this helps!
Chris Katscher

Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
Precedence: bulk
From: "wirepair" <wirepair () roguemail net>
Subject: iis 5 %00 null weirdness
To: vuln-dev () securityfocus com
Date: Thu, 11 Dec 2003 11:15:38 -0800
Message-ID: <web-23498678 () gator darkhorse com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit

lo all,
While playing with IIS I was messing around with the old school webhits vuln, i tried injecting some null characters 
to see
how it would respond. To my surprise I all of a sudden got the web page I requested, (not the source just the page). 
But
the images were all broken, this obviously piqued my interested so i viewed the info of the page.
When requesting an asp page (or aspx), such as
http://iisserver/iisstart.asp%00/%00/%00/
you'll notice the image file now contains the path:
http://iisserver/iisstart.asp%00/%00/%00/pagerror.gif
Any link from the asp page requested will have the null bytes injected into its path. 
It isn't just nulls either you can basicalyl (after the first one) inject any string:
http://iisserver/iisstart.asp%00/%2e%2e/
Shows the broken image as having the path:
http://iisserver/iisstart.asp%00/%2e%2e/pagerror.gif
Now i assume this isn't normal behaviour but my questions are:
A. Why is this happening?
and 
B. Is there anyway we can take advantage of this?

I tried the obvious stuff like movign the pagerror.gif outside the webroot, and it still showed up
as a broken image so i assume the %00 is causing the %2e%2e to not *actually* break the web root.
Any thoughts folks?
-wire

Everyone has a plan until they get hit.
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

Current thread:

Re: iis 5 %00 null weirdness Chris Katscher (Feb 15)
- <Possible follow-ups>
- Re: iis 5 %00 null weirdness securityfocus (Feb 16)
- Re: iis 5 %00 null weirdness Chris Katscher (Feb 16)