I tested a standard NT4 SP6/IIS 4.0 installation and verified there are at
least 1300 unique ways IIS will interpret the single character 'A'.

The testing was done using methods that have been publicly discussed in
focus-ids, bugtraq, ntbugtraq and Eric Hacker's "IDS evasion" article. Up
until now I do not believe anyone has summarized all the methods and
produced a quantitative answer to "the number of ways to represent a single
character". Eric's article gave a good summary but was missing a key variable.

Testing Variables:
1) Upper and Lower case 'A'
2) Single byte UTF encoding
3) Double byte UTF encoding
4) Triple byte UTF encoding
5) "Microsoft base-36" encoding of UTF characters
6) Raw binary encoding of UTF characters, or character subsets
7) Unicode characters (0x00-0xFFFF) mapping to 'A'. (I found 15 on my
installation)

Microsoft base-36 encoding is a term I use to describe Microsoft's flawed
implementation of UTF translation. They interpret 36 characters (0-9 A-Z)
as hex characters, not just 16 (0-9 A-F).

On my test installation I found 15 characters that mapped to 'A'. This was
done by generating every possible 16-bit unicode character 0x00-0xFFFF,
encoding it as a triple byte UTF string and sending it to the server. The
biggest variable is the character mappings, each IIS installation will have
a different number of mappings depending on which codepages are installed
on the system.

I wrote a script that will generate all of the permutations for 'A' using
the variables listed above. The result was a list of 1300 unique
representations that IIS 4.0 will interpret as the 'A'. The string "AE"
can be represented 1,876,042 ways, etc..

Blaine Kubesh
Cisco Systems IDS Development Team

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]