OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Bug in IIS and PWS but only for Windows 9x. Re: Personal web

Bug in IIS and PWS but only for Windows 9x. Re: Personal web

Victor Lavrenko (lavrenkoMCST.RU)
Wed, 20 Jan 1999 11:57:19 +0300

>>>>> "Aleph" == Aleph One <aleph1UNDERGROUND.ORG> writes:

Hello everybody.

This bug exists because Windows 9x has a nice feature. When you
excecute "cd .." it goes to the parent directory, and "cd ..." goes to
the parent directory of parent directory etc. Windows NT has no such
feature so it isn't exploitable.

IIS 4.0 and PWS 3.0 exploitable while executed under Windows 9x only,
not Windows NT.

    Aleph> No:

    Aleph> Windows NT 4.0 SP3 ("kiborg" <contactkiborg.net>) Windows
[skip]
    Aleph> Windows 98 (Sean Coates scoatesusa.ne)

Sean checked box with PWS 2.0. Due to another bug in its core, it
seems that is not exploitable. PWS 3.0 doesn't have such bug so it is
exploitable.

    Aleph> Yes:

    Aleph> Windows 95 ("kiborg" <contactkiborg.net>) Windows 98
[skip]
    Aleph> it open.

PWS and IIS (they have the same core) check for ".." in URL, but don't
check for "...", "...." etc.

Summary:

1. IIS 4.0 and PWS 3.0 exploitable under Windows 9x.
2. IIS (any version) and PWS (any version) not exploitable under
   Windows NT.
3. PWS 2.0 and (possibly) IIS 3.0 not exploitable under Windows 9x.

--
Victor Lavrenko
   Homepage:        http://www.lavrenko.pp.ru/
   E-mail:          lavrenkomcst.ru  lavrenkocs.msu.su
   Fingerprint:     35 D0 98 8D 96 E5 F4 BA  59 FB 9D 29 92 26 F5 59