Bug in IIS and PWS but only for Windows 9x. Re: Personal web

lavrenkoMCST.RU

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Basement Research: "Re: Remote Cisco Identification"
• Previous message: johann sebastian bach: "sscan 0.1 stack overflows"
• In reply to: Aleph One: "Re: Personal web server"
• Next in thread: Marc Slemko: "Re: Bug in IIS and PWS but only for Windows 9x. Re: Personal web"

>>>>> "Aleph" == Aleph One <aleph1UNDERGROUND.ORG> writes:

Hello everybody.

This bug exists because Windows 9x has a nice feature. When you
excecute "cd .." it goes to the parent directory, and "cd ..." goes to
the parent directory of parent directory etc. Windows NT has no such
feature so it isn't exploitable.

IIS 4.0 and PWS 3.0 exploitable while executed under Windows 9x only,
not Windows NT.

    Aleph> No:

    Aleph> Windows NT 4.0 SP3 ("kiborg" <contactkiborg.net>) Windows
[skip]
    Aleph> Windows 98 (Sean Coates scoatesusa.ne)

Sean checked box with PWS 2.0. Due to another bug in its core, it
seems that is not exploitable. PWS 3.0 doesn't have such bug so it is
exploitable.

    Aleph> Yes:

    Aleph> Windows 95 ("kiborg" <contactkiborg.net>) Windows 98
[skip]
    Aleph> it open.

PWS and IIS (they have the same core) check for ".." in URL, but don't
check for "...", "...." etc.

Summary:

1. IIS 4.0 and PWS 3.0 exploitable under Windows 9x.
2. IIS (any version) and PWS (any version) not exploitable under
   Windows NT.
3. PWS 2.0 and (possibly) IIS 3.0 not exploitable under Windows 9x.

--
Victor Lavrenko
   Homepage:        http://www.lavrenko.pp.ru/
   E-mail:          lavrenkomcst.ru  lavrenkocs.msu.su
   Fingerprint:     35 D0 98 8D 96 E5 F4 BA  59 FB 9D 29 92 26 F5 59

• Next message: Basement Research: "Re: Remote Cisco Identification"
• Previous message: johann sebastian bach: "sscan 0.1 stack overflows"
• In reply to: Aleph One: "Re: Personal web server"
• Next in thread: Marc Slemko: "Re: Bug in IIS and PWS but only for Windows 9x. Re: Personal web"