Re: New vulnerability in IIS4.0/5.0

From: César González (cesar@eureka-sistemas.com)
Date: 09/19/01


Message-Id: <200109192130.f8JLUgj15852@bolo.sytes.net>
From: César González <cesar@eureka-sistemas.com>
To: Bugtraq@securityfocus.com
Subject: Re: New vulnerability in IIS4.0/5.0
Date: Wed, 19 Sep 2001 23:30:42 +0200


>
> Has anyone managed to exploit a patched system?

I have tested the vulnerability in a patched W2k spanish version 100% free of
UNICODE vulnerability. I cant exploit nothing but there are a diference
between an attack with the UNICODE representation and the UTF one. Look :

With UNICODE :

HTTP/1.1 404 Objeto no encontrado
Server: Microsoft-IIS/5.0
Date: Wed, 19 Sep 2001 21:15:31 GMT
Content-Length: 3404
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html dir=ltr>

<head>
.....
.....
..... the usual not found page.....

with UTF :

HTTP/1.1 500 Error del servidor
Server: Microsoft-IIS/5.0
Date: Wed, 19 Sep 2001 21:16:29 GMT
Content-Type: text/html
Content-Length: 88
 
<html><head><title>Error</title></head><body>El parámetro no es correcto.
</body></html>

I have "The paremeter is incorrect" for response.
Note the HTTP/1.1 500 (Server Error) in difference with the last HTTP/1.1 404
(not found)

strange....
Other experiences?

César González Revilla
Eureka Sistemas S.L.
C/ San Fernando 16 bajo
39010 Santander

http://www.eureka-sistemas.com/

cesar@eureka-sistemas.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
 
mQGiBDsshKoRBADzt7m8nsYJ02l3Vh794IuBQITQ+Ks6anzdKrsAhb2WXoE3eICY
gdi21727h9L4bJAHwBGf0//zTMbKXYSRBfB8qi2LkJpam/zvdGi8jY7VmEiyOSnu
aDhaXzXLY/K9QhVey8IS4N2D/taMYURvxsXdpslfwxKr2+C0gReL487LwwCgxgXo
QZSPhgcqQH2T09bNDQzJWM0EAL5ohJlXoxG2LJKnw+1fRwwGhkHY/m5ZIk6KnPHx
JjBLytAUYuGf+KapDOk1kGBOnnmGNOU/mvBe4/SpsfaIE9Dr1IwT7a566pNUTCjq
SXXTWXbMPfQYg2fxC9Q6BnKY7ksLPes0tM8ZxTYPQbEgGS2kzRwDcNq1gI8df9Ij
NTLdBACQXDy6RlE3Ruqzq2zHvYW5Bw8J0O2A71JUh/+/giF2J36pE4CP5kOQfXGO
WHVf9EQMWRJILjLrYJuxz7MTIoaneLCYsX+pQN85bllBvdBNpXMr6Gfl0/WDz34b
RUYk1sfmfDj+s3bQdzkdUtB0GKHV5wyYXKiWjIufsC4jxizmT7RBQ2VzYXIgR29u
emFsZXogUmV2aWxsYSAoQUtBIEJvbG9Ucm9uKSA8Y2VzYXJAZXVyZWthLXNpc3Rl
bWFzLmNvbT6IVwQTEQIAFwUCOyyEqgULBwoDBAMVAwIDFgIBAheAAAoJEDA5nDye
t7spk5AAnAqy+Yqd8FO/27umg3EvtjGUU+tjAJ9jaRBI1Bc/sb2Nq48+Vp9RT4VI
1rkBDQQ7LIS6EAQAkK3BHsTfJM2PriGBhfkc3UK9pMLMd7hYeRmh8ZW0S3NBwul/
PaD9luVIKRkJLJHElO4E5a4PMu27vBTSqPcdUKy5IeAD42WlaemU4bgTP0wCv7rU
UJCbtaKkpl0m86AGqVBd/0mBwSQUKrcJmMfCskpA2LNUjibOvjPVWjmph8MAAwUD
/1uLj+9Ptkkhuy7LGBfivMIu/DLmvRz4C/fYJi9GtiI2u7Drdb9C3vPop9zTTNWE
5YV3H9oa6E8C/Pp63naT0Y3Nxl+8PJT/QF2BtGEqdaaswy96YL6Rodgdq5YImUIX
szYY1IO8cglMfqsUHHhquZ+Ur9Y0mpPWzUNjls7Nz+M6iEYEGBECAAYFAjsshLoA
CgkQMDmcPJ63uyk4oACfVLdOOcq0Pmp8g4u7nJWNP2kYhJ0An2q7IxBGPnWgXEcD
Q4Qy6O0V86q4
=y6jk
-----END PGP PUBLIC KEY BLOCK-----



Relevant Pages

  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #139
    ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #140
    ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter # 150
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #152
    ... MICROSOFT VULNERABILITY SUMMARY ... Real Networks Helix Universal Server Remote Buffer Overflow ... ... NEW PRODUCTS FOR MICROSOFT PLATFORMS ...
    (Focus-Microsoft)