what you don't know can hurt you

iis-unicode.txt

iis-unicode.txt
Posted Oct 17, 2000
Authored by rain forest puppy | Site wiretrip.net

rain forest puppy's investigation of the recent Microsoft IIS remote command execution vulnerability which was first mentioned in a ms00-078. UNICODE character translation on foreign IIS 4.0 and 5.0 servers allows additional ways of encoding '/' and '\', allowing commands to be executed under the IUSR_machine context.

tags | exploit, remote
MD5 | 0747c7e7a7c3fccad5338bc0d6e7aed9

iis-unicode.txt

Change Mirror Download

Recently I received an email from Par Osterberg that directed my attention
to a post in the Packetstorm forums:

http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&uname=anonymous&datopic=Windows&mesgcheck=defined&gum=474&editoron=

An anonymous person posts that they can run arbitrary commands on IIS 5
(Win 2000) using the following URL:

http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\

They also gave a sample site that appeared to be vulnerable. Following
the thread shows various people trying (unsuccessfully) to recreate the
problem.

So is the site listed a fake, meant to *appear* vulnerable? Was it due to
a misconfiguration?

First I tried my IIS5/Win2K test server--and it wasn't vulnerable.
However, the sample site was in China (hence the .cn), and they were using
a UNICODE character set different than mine.

So doing a quick search on a search engine for sites hosting the default
IIS5 web page, I found a dozen that had foreign UNICODE fonts--and all of
them were vulnerable.

Checking a few other US-font sites resulted in them being not vulnerable.
So at this point there is enough confirmation that there is a problem. I
can only speculate 'why' this is a vulnerability, and I figure it has to
do something with UNICODE translation.

However, it's still odd. And I'm not satisfied. Pulling up vi (yes,
Marissa, vi--not pico (anymore)), I coded a quick little perl script that
will check all 65535 combinations in place of the %c1%1c in the 'exploit'
URL. Sorry, but I'm not going to post the script, since it's built on
whisker v2.0 code, which I'm not ready to release. :)

Anyways, the script chugged through all 65535, kicking back various errors
from 'Not Found', 'Authentication Required' (?!?), 'Read Access
Forbidden', and various API error messages ('The parameter is incorrect.'
and 'The file, directory name, or syntax is invalid.').

But there in the output, in two particular instances, I had a directory
listing. Yikes.

It seems the values of %c0%af and %c1%9c work for IIS 5. Curiousity
getting the better of me, I tried it on IIS 4. Uh oh, works there too.

So is it UNICODE based? Yes. %c0%af and %c1%9c are overlong UNICODE
representations for '/' and '\'. There may even be longer (3+ byte)
overlong representations too. IIS seems to decode UNICODE at the wrong
instance (after path checking, rather than before). I didn't learn this
until later on (after doing some research on UTF-8).

Obviously, since this was initially posted to a public forum, I take no
credit for the original find--all I did was further develop the research.
Thanks again to Par Osterberg for sending me the URL.

Microsoft has released MS00-078 to warn of the problem. The patch from
MS00-057 ("File permission canonicalization") fixes this problem. Note to
world: MS had a 2 hour turn-around on contact (at 1am, no less), and about
12 hours for talking with the developers, going over the problem, and
deciding a gameplan. I think that's worth a kudos. Thanks to Scott Culp
and David LeBlanc for putting up with me and wasting their weekends. :)

- rain forest puppy

ps. while I thought this was going to be bigger than RDS, it turns out the
program execution happens under IUSR_machine context, so you're limited
(e.g. you can't just grab the SAM, etc).

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    1 Files
  • 17
    Nov 17th
    3 Files
  • 18
    Nov 18th
    22 Files
  • 19
    Nov 19th
    17 Files
  • 20
    Nov 20th
    15 Files
  • 21
    Nov 21st
    16 Files
  • 22
    Nov 22nd
    2 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close