[17271] in bugtraq
Re: IIS %c1%1c remote command execution
daemon@ATHENA.MIT.EDU (rain forest puppy)
Thu Oct 19 14:34:11 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10010181821070.8710-100000@eight.wiretrip.net>
Date: Wed, 18 Oct 2000 18:23:45 -0500
Reply-To: rain forest puppy <rfp@WIRETRIP.NET>
From: rain forest puppy <rfp@WIRETRIP.NET>
X-To: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <tglmvmz3ek.fsf@mercury.rus.uni-stuttgart.de>
> This is one of the vulnerabilities Bruce Schneier warned of in one of
> the past CRYPTO-GRAM isssues. The problem isn't the wrong time of
> path checking alone, but as well a poorly implemented UTF-8 decoder.
> RFC 2279 explicitly says that overlong sequences such as 0xC0 0xAF are
> invalid.
Yep, I agree, and that's because...
> Markus Kuhn's UTF-8 stress test file contains some tests covering such
> problems. It's available at:
> http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
Markus' FAQ is what helped me to understand what's going on. It
definately is a good writeup.
I also reviewed a writeup located at:
http://czyborra.com/utf/
As equally informative.
As UTF support creeps into various places, this may become a more
prominent problem. I already forsee uses in virus scanner and IDS
evasion.
- rfp
