Vulnerability Development mailing list archives
Re: iis 5 %00 null weirdness
From: <securityfocus () poulsennet com>
Date: Mon, 16 Feb 2004 07:14:46 -0700
This is an "old" vulnerability adressed in KB832894. The description and patch can be found on http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-004.asp Kind Regards Michael Poulsen, CISSP ----- Original Message ----- From: Chris Katscher To: vuln-dev () securityfocus com Sent: 11 Feb 2004 21:17:33 -0000 Subject: Re: iis 5 %00 null weirdness In-Reply-To: <web-23498678 () gator darkhorse com> I have no idea what is going on with this "vulnerability" but I can't find anything about it on Microsoft's site. They either don't know about it or are trying to keep it quiet. I will say this, scammers REALLY know about it. I have gotten two scam emails in the past few weeks using this vulnerability. Here: From: "Flightiest G. Lever" <support () yahoo-services com> Date: Sun, 25 Jan 2004 12:51:36 -0500 Subject: Important Information Regarding Your Account cO3VRQmN The email looks very professional, in fact it fooled me into thinking it was an actual yahoo site that might have gotten r00ted by a scammer, and tries to get me to click on the link: http://wallet.yahoo.com%00@211.174.60.96/manual/images/ Here is another example: From: "_Yahoo*" <herb () zipolite com> Date: Sat, 07 Feb 2004 14:27:37 -0500 Subject: _Your _Yahoo user id (spatch3 () yahoo com) This is a very unprofessional email and tries to get you to click on the link: http://Spatch.yahoo.com%00@%75%68%6b%72%6539%65%64%2e%44%61%2e%52%75/%3f%708%510%78 Which I have decoded the domain to be: uhkre39ed.Da.Ru/?p8Q0x I have already sent complaint emails about these scams to the proper domain registrars, however what really bothers me, is that IE is vulnerable to this type of human trickery. Even _I_ was fooled when I first saw it, and I don't fool easily. It wasn't until I copied the URL and then pasted it into notepad and then clicked on it in Netscape that I saw where the URL was really re-directing me to. Since this kind of hidden URL exploit doesn't work in Netscape 6.2 I'll definitely call it an IE 5.5 bug. BTW: the characters before the @ must be: hex: 01 25 30 30 which looks like: %00 Hope this helps! Chris Katscher
Received: (qmail 20836 invoked from network); 12 Dec 2003 19:11:13 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27)
by mail.securityfocus.com with SMTP; 12 Dec 2003 19:11:13 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 85611A30BD; Fri, 12 Dec 2003 12:20:36 -0700 (MST)
Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <vuln-dev.list-id.securityfocus.com>
List-Post: <mailto:vuln-dev () securityfocus com>
List-Help: <mailto:vuln-dev-help () securityfocus com>
List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com>
List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com>
Delivered-To: mailing list vuln-dev () securityfocus com
Delivered-To: moderator for vuln-dev () securityfocus com
Received: (qmail 32164 invoked from network); 11 Dec 2003 19:30:05 -0000
From: "wirepair" <wirepair () roguemail net>
Subject: iis 5 %00 null weirdness
To: vuln-dev () securityfocus com
X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8
Date: Thu, 11 Dec 2003 11:15:38 -0800
Message-ID: <web-23498678 () gator darkhorse com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
lo all,
While playing with IIS I was messing around with the old school webhits vuln, i tried injecting
some null characters to see
how it would respond. To my surprise I all of a sudden got the web page I requested, (not the
source just the page). But
the images were all broken, this obviously piqued my interested so i viewed the info of the page.
When requesting an asp page (or aspx), such as
http://iisserver/iisstart.asp%00/%00/%00/
you'll notice the image file now contains the path:
http://iisserver/iisstart.asp%00/%00/%00/pagerror.gif
Any link from the asp page requested will have the null bytes injected into its path.
It isn't just nulls either you can basicalyl (after the first one) inject any string:
http://iisserver/iisstart.asp%00/%2e%2e/
Shows the broken image as having the path:
http://iisserver/iisstart.asp%00/%2e%2e/pagerror.gif
Now i assume this isn't normal behaviour but my questions are:
A. Why is this happening?
and
B. Is there anyway we can take advantage of this?
I tried the obvious stuff like movign the pagerror.gif outside the webroot, and it still showed up
as a broken image so i assume the %00 is causing the %2e%2e to not *actually* break the web root.
Any thoughts folks?
-wire
Everyone has a plan until they get hit.
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
Current thread:
- Re: iis 5 %00 null weirdness Chris Katscher (Feb 15)
- <Possible follow-ups>
- Re: iis 5 %00 null weirdness securityfocus (Feb 16)
- Re: iis 5 %00 null weirdness Chris Katscher (Feb 16)