Bugtraq mailing list archives
Re: IIS %c1%1c remote command execution
From: rain forest puppy <rfp () WIRETRIP NET>
Date: Wed, 18 Oct 2000 18:23:45 -0500
This is one of the vulnerabilities Bruce Schneier warned of in one of the past CRYPTO-GRAM isssues. The problem isn't the wrong time of path checking alone, but as well a poorly implemented UTF-8 decoder. RFC 2279 explicitly says that overlong sequences such as 0xC0 0xAF are invalid.
Yep, I agree, and that's because...
Markus Kuhn's UTF-8 stress test file contains some tests covering such
problems. It's available at:
http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
Markus' FAQ is what helped me to understand what's going on. It
definately is a good writeup.
I also reviewed a writeup located at:
http://czyborra.com/utf/
As equally informative.
As UTF support creeps into various places, this may become a more
prominent problem. I already forsee uses in virus scanner and IDS
evasion.
- rfp
Current thread:
- IIS %c1%1c remote command execution rain forest puppy (Oct 17)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)
- Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
- [LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution ET LoWNOISE (Oct 20)
- Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
- <Possible follow-ups>
- Re: IIS %c1%1c remote command execution Nsfocus Security Team (Oct 18)
- Re: IIS %c1%1c remote command execution Cris Bailiff (Oct 19)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)