They would have saved themselves a lot of "research time" by reading:

http://www.eeye.com/html/Research/Advisories/AD20010705.html

> -----Original Message-----
> From: MJE [mailto:markNTSHOP.NET]
> Sent: Wednesday, September 19, 2001 3:47 PM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: FW: New vulnerability in IIS4.0/5.0
>
>
>
> This showed up on BugTraq this afternoon:
>
> Mark
>
>
>
> -----Original Message-----
> From: ALife // BERG [mailto:buginfoinbox.ru]
> Sent: Wednesday, September 19, 2001 3:38 AM
> To: Bugtraqsecurityfocus.com
> Subject: New vulnerability in IIS4.0/5.0
>
>
> -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
>
> Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> -------------------------------------[ security.instock.ru ]--------------
>
> Topic: Remote users can execute any command on several
> IIS 4.0 and 5.0 systems by using UTF codes
>
> Announced: 2001-09-19
> Credits: ALife <buginfoinbox.ru>
> Affects: Microsoft IIS 4.0/5.0
>
> --------------------------------------------------------------------------
>
> ---[ Description
>
> For example, target has a virtual executable directory (e.g.
> "scripts") that is located on the same driver of Windows system.
> Submit request like this:
>
> http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
>
> Directory list of C:\ will be revealed.
>
> Of course, same effect can be achieved by this kind of processing
> to '/' and '.'. For example: "..%u002f", ".%u002e/", "..%u00255c",
> "..%u0025%u005c" ...
>
> Note: Attacker can run commands of IUSR_machinename account privilege
> only.
>
> This is where things go wrong in IIS 4.0 and 5.0, IIS first scans
> the given url for ../ and ..\ and for the normal unicode of these
> strings, if those are found, the string is rejected, if these are
> not found, the string will be decoded and interpreted. Since the filter
> does NOT check for the huge amount of overlong unicode representations
> of ../ and ..\ the filter is bypassed and the directory traversalling
> routine is invoked.
>
> ---[ Workarounds
>
> 1. Delete the executable virtual directory like /scripts etc.
> 2. If executable virtual directory is needed, we suggest you to
> assign a separate local driver for it.
> 3. Move all command-line utilities to another directory that could
> be used by an attacker, and forbid GUEST group access those
> utilities.
>
> ---[ Vendor Status
>
> 2001.09.19 We informed Microsoft of this vulnerability.
>
> ---[ Additional Information
>
> [1] RFC 1642 UTF-7 - A Mail-Safe Transformation Format of Unicode.
> RFC 2152
> [2] RFC 2044 UTF-8, a transformation format of Unicode and ISO 10646.
> RFC 2279
> [3] RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String
> Representation of Distinguished Names.
>
> ---[ DISCLAIMS
>
> THE INFORMATION PROVIDED IS RELEASED BY BRIGHT EYES RESEARCH GROUP (BERG)
> "AS IS" WITHOUT WARRANTY OF ANY KIND. BERG DISCLAIMS ALL WARRANTIES,
> EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY.
> IN NO EVENTSHALL BERG BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
> DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
> SPECIAL DAMAGES, EVEN IF BERG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
> DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT
> THE ADVISORY IS NOT MODIFIED IN ANY WAY.
>
> -------------------------------------[ security.instock.ru ]--------------
> -----[ Bright Eyes Research Group | Advisory # be00001e ]-----------------
>
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]