|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: root
synopse.homeip.netDate: Mon May 27 2002 - 15:37:03 CDT
('binary' encoding is not supported, stored as-is)
Greetings,
I was playing around with Microsoft IIS 5.1 when I noticed
something very weird. If you go to a directory which has
basic authentication enabled, and enter the string: %1p as
the login, it will put this into the event logs under the
system subsection:
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 100
Date: 14/05/2002
Time: 2:21:35 PM
User: N/A
Computer: WINDOWS
Description:
The server was unable to logon the Windows NT account
'%
1ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppp' due to the
following error: %2 The data is the error code.
For additional information specific to this message please
visit the Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00 ....
(Note: The p after %1 can be any character it seems. I just
used %1p as my
example.)
---
If you enter the string: %2 as the login, it will also put
this into the event logs under the system sub section:
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 100
Date: 14/05/2002
Time: 2:24:20 PM
User: N/A
Computer: WINDOWS
Description:
The server was unable to logon the Windows NT
account 'Logon failure: unknown user name or bad
password. ' due to the following error: Logon
failure: unknown user name or bad password. The data is
the error code.
For additional information specific to this message please
visit the Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00 ....
--
If you repeat %2, or %1p it will produce longer entries in
the event logs, depending on how many times you wish to
repeat it. I've been playing with this for a while now, and
it only appears that %2 and %1 (followed by a character)
will cause these weird entries in the event logs. I tested
this on Windows XP Pro with all updates and patches,
running IIS 5.1.
Georgi Guninski confirmed that this format strings "flaw"
is present in Windows 2000 with IIS 5.0, as well as the
Microsoft FTP service.
I've given up on playing around with this "flaw", so I'm
posting it to vuln-dev to let other people have a chance
and see what else can be found.
Cheers,
0x00
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]