Bugtraq mailing list archives
Re: IIS %c1%1c remote command execution
From: Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE>
Date: Wed, 18 Oct 2000 15:26:27 +0200
rain forest puppy <rfp () WIRETRIP NET> writes:
So is it UNICODE based? Yes. %c0%af and %c1%9c are overlong UNICODE representations for '/' and '\'. There may even be longer (3+ byte) overlong representations too. IIS seems to decode UNICODE at the wrong instance (after path checking, rather than before). I didn't learn this until later on (after doing some research on UTF-8).
This is one of the vulnerabilities Bruce Schneier warned of in one of the past CRYPTO-GRAM isssues. The problem isn't the wrong time of path checking alone, but as well a poorly implemented UTF-8 decoder. RFC 2279 explicitly says that overlong sequences such as 0xC0 0xAF are invalid. Markus Kuhn's UTF-8 stress test file contains some tests covering such problems. It's available at: http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt (I just checked, and Netscape Communicator 4.75 appears to have a broken UTF-8 decoder, too.) It's a pity that a lot of UTF-8 decoders in free software fail such tests as well, either by design or careless implementation. -- Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Current thread:
- IIS %c1%1c remote command execution rain forest puppy (Oct 17)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)
- Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
- [LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution ET LoWNOISE (Oct 20)
- Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
- <Possible follow-ups>
- Re: IIS %c1%1c remote command execution Nsfocus Security Team (Oct 18)
- Re: IIS %c1%1c remote command execution Cris Bailiff (Oct 19)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)