[20678] in bugtraq
RE: About the new IIS %252c bug.
daemon@ATHENA.MIT.EDU (Matt Rudge)
Wed May 16 16:46:57 2001
Message-ID: <D0A4D670C7EAD411964800105ADE8C9C041C@NT_SERVER>
From: Matt Rudge <mrudge@hcs.ie>
To: "'neme-dhc@hushmail.com'" <neme-dhc@hushmail.com>,
bugtraq@securityfocus.com
Date: Wed, 16 May 2001 17:39:38 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
I have tested this on patched and unpatched IIS 4 & 5 servers and have found
some strange results also. Several recently patched IIS5 servers that I
tested are not vulnerable to the Unicode bug (as would be expected), but are
vulnerable to this one. Similarly with patched IIS4 servers I have tried.
However, I have tried one patched IIS4 server that proved not to be
vulnerable - the difference... none. Apart from the fact that the
invulnerable server was the only one I actually, physically, patched myself.
But I can't remember what I did that would make a difference.
This is why, for all installations, I now put all executable directories on
a separate drive and rename the command interpreter.
Cheers
Matt
-----Original Message-----
From: neme-dhc@hushmail.com [mailto:neme-dhc@hushmail.com]
Sent: 16 May 2001 00:16
To: bugtraq@securityfocus.com
Subject: About the new IIS %252c bug.
Hi,
I spotted the same behaviour on my win2k + IIS 5.0 installation. When I
installed the unicode patch this problem disappeared. Hence why I did not
publish this. Maybe other people can reproduce this as well?
another one that works is %252f.
%255c and %252f (slash and backslash) worked before I applied the patch
and ceased working afterwards.
%255c and %252f are NOT unicode codes but hex codes. I find it strange that
the unicode patch fixed this.
IIS4.0 installations without the unicode patch were not vulnerable when
I tried.
greetz,
nemesystm
