OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: iis 5 %00 null weirdness

securityfocuspoulsennet.com
Date: Mon Feb 16 2004 - 08:14:46 CST

This is an "old" vulnerability adressed in KB832894. The description and patch can be found on
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-004.asp

Kind Regards

Michael Poulsen, CISSP

----- Original Message -----
From: Chris Katscher
To: vuln-devsecurityfocus.com
Sent: 11 Feb 2004 21:17:33 -0000
Subject: Re: iis 5 %00 null weirdness

In-Reply-To: <web-23498678gator.darkhorse.com>

I have no idea what is going on with this "vulnerability" but I can't find anything about it on
Microsoft's site. They either don't know about it or are trying to keep it quiet. I will say
this, scammers REALLY know about it. I have gotten two scam emails in the past few weeks using
this vulnerability.

Here:

From: "Flightiest G. Lever" <supportyahoo-services.com>

Date: Sun, 25 Jan 2004 12:51:36 -0500

Subject: Important Information Regarding Your Account cO3VRQmN

The email looks very professional, in fact it fooled me into thinking it was an actual yahoo site
that might have gotten r00ted by a scammer, and tries to get me to click on the link:

http://wallet.yahoo.com%00211.174.60.96/manual/images/

Here is another example:

From: "_Yahoo*" <herbzipolite.com>

Date: Sat, 07 Feb 2004 14:27:37 -0500

Subject: _Your _Yahoo user id (spatch3yahoo.com)

This is a very unprofessional email and tries to get you to click on the link:

http://Spatch.yahoo.com%00%75%68%6b%72%6539%65%64%2e%44%61%2e%52%75/%3f%708%510%78

Which I have decoded the domain to be:

uhkre39ed.Da.Ru/?p8Q0x

I have already sent complaint emails about these scams to the proper domain registrars, however
what really bothers me, is that IE is vulnerable to this type of human trickery. Even _I_ was
fooled when I first saw it, and I don't fool easily. It wasn't until I copied the URL and then
pasted it into notepad and then clicked on it in Netscape that I saw where the URL was really
re-directing me to. Since this kind of hidden URL exploit doesn't work in Netscape 6.2 I'll
definitely call it an IE 5.5 bug.

BTW: the characters before the must be:

hex: 01 25 30 30

which looks like:

%00

Hope this helps!

Chris Katscher

>Received: (qmail 20836 invoked from network); 12 Dec 2003 19:11:13 -0000

>Received: from outgoing3.securityfocus.com (205.206.231.27)

> by mail.securityfocus.com with SMTP; 12 Dec 2003 19:11:13 -0000

>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])

> by outgoing3.securityfocus.com (Postfix) with QMQP

> id 85611A30BD; Fri, 12 Dec 2003 12:20:36 -0700 (MST)

>Mailing-List: contact vuln-dev-helpsecurityfocus.com; run by ezmlm

>Precedence: bulk

>List-Id: <vuln-dev.list-id.securityfocus.com>

>List-Post: <mailto:vuln-devsecurityfocus.com>

>List-Help: <mailto:vuln-dev-helpsecurityfocus.com>

>List-Unsubscribe: <mailto:vuln-dev-unsubscribesecurityfocus.com>

>List-Subscribe: <mailto:vuln-dev-subscribesecurityfocus.com>

>Delivered-To: mailing list vuln-devsecurityfocus.com

>Delivered-To: moderator for vuln-devsecurityfocus.com

>Received: (qmail 32164 invoked from network); 11 Dec 2003 19:30:05 -0000

>From: "wirepair" <wirepairroguemail.net>

>Subject: iis 5 %00 null weirdness

>To: vuln-devsecurityfocus.com

>X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8

>Date: Thu, 11 Dec 2003 11:15:38 -0800

>Message-ID: <web-23498678gator.darkhorse.com>

>MIME-Version: 1.0

>Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"

>Content-Transfer-Encoding: 8bit

>

>lo all,

>While playing with IIS I was messing around with the old school webhits vuln, i tried injecting
some null characters to see

>how it would respond. To my surprise I all of a sudden got the web page I requested, (not the
source just the page). But

>the images were all broken, this obviously piqued my interested so i viewed the info of the page.

>When requesting an asp page (or aspx), such as

>http://iisserver/iisstart.asp%00/%00/%00/

>you'll notice the image file now contains the path:

>http://iisserver/iisstart.asp%00/%00/%00/pagerror.gif

>Any link from the asp page requested will have the null bytes injected into its path.

>It isn't just nulls either you can basicalyl (after the first one) inject any string:

>http://iisserver/iisstart.asp%00/%2e%2e/

>Shows the broken image as having the path:

>http://iisserver/iisstart.asp%00/%2e%2e/pagerror.gif

>Now i assume this isn't normal behaviour but my questions are:

>A. Why is this happening?

>and

>B. Is there anyway we can take advantage of this?

>

>I tried the obvious stuff like movign the pagerror.gif outside the webroot, and it still showed up

>as a broken image so i assume the %00 is causing the %2e%2e to not *actually* break the web root.

>Any thoughts folks?

>-wire

>

>Everyone has a plan until they get hit.

>--

>Visit Things From Another World for the best

>comics, movies, toys, collectibles and more.

>http://www.tfaw.com/?qt=wmf

>