|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: More information on MS00-044
From: Schoedel, Christine (cschoedel
CLICKNET.COM)Date: Fri Aug 11 2000 - 19:19:06 CDT
- Next message: Georgi Guninski: "IE 5.5/5.x for Win98 may execute arbitrary files that can be accessed thru Microsoft Networking. Also local Administrator compromise at least on default Windows 2000."
- Previous message: David LeBlanc: "Re: W2K Pro ICS/NAT"
- Maybe in reply to: rain forest puppy: "More information on MS00-044"
- Maybe reply: Schoedel, Christine: "Re: More information on MS00-044"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi!
We found something that hasn't yet been mentioned in any of the discussions
of this issue...
This doesn't just work with http://target/file.asp+.htr. It will also work
if you include other characters between the + and the .htr. For example,
http://target/file.asp+blah.htr will give exactly the same result as
http://target/file.asp+.htr. This appears to work with up to several
hundred characters.
Has anyone else seen this behavior?
Chris
Chris Schoedel
Security Research
ClickNet Software
http://www.clicknet.com
-----Original Message-----
From: rain forest puppy [mailto:rfpWIRETRIP.NET]
Sent: Friday, August 04, 2000 1:08 PM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Re: More information on MS00-044
> For more information on the '*.htr' exploit look into iishack.asm
> written by eEye last summer.
Wrong exploit. I'm talking about the '+.htr' vulnerability, otherwise
know as the 'HTR file fragment reading' (or somesuch) vulnerability, where
you get the source of the file when you append +.htr to the URL (such as
http://someserver/some.asp+.htr. It's one of the vulnerabilities patched
in MS00-044.
I know there are HTR patches in MS00-019, MS00-031, and MS00-044. I know
I shouldn't be using .htr. All this has nothing to do with the exact
happenings of the vulnerability discussed. ;)
If you are unfamiliar with the vulnerability I'm referring to, then read
the ISBASE advisory posted to Bugtraq last month. A copy can be found at
http://archives.neohapsis.com/archives/bugtraq/2000-07/0233.html
- rain forest puppy
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Georgi Guninski: "IE 5.5/5.x for Win98 may execute arbitrary files that can be accessed thru Microsoft Networking. Also local Administrator compromise at least on default Windows 2000."
- Previous message: David LeBlanc: "Re: W2K Pro ICS/NAT"
- Maybe in reply to: rain forest puppy: "More information on MS00-044"
- Maybe reply: Schoedel, Christine: "Re: More information on MS00-044"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]