Re: Weird URL's that work, can you say IPvOctal?
From: Robert C. Wessel (rwessel@cfsoft.com)Date: 11/22/01
- Previous message: Matthew.van.Eerde@hbinc.com: "RE: Weird URL's that work, can you say IPvOctal?"
- In reply to: Kristopher Labe: "Weird URL's that work, can you say IPvOctal?"
- Next in thread: J. Reilink: "Re: Weird URL's that work, can you say IPvOctal?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <3.0.5.32.20011121183557.0096f1c0@cfs-dns-2.cfsoft.com> Date: Wed, 21 Nov 2001 18:35:57 -0600 To: <staff@joust.net>, <focus-ms@securityfocus.com> From: "Robert C. Wessel" <rwessel@cfsoft.com> Subject: Re: Weird URL's that work, can you say IPvOctal?
Yep. It'll do that. You can even use hex, and use the trailing number
truncation trick, and mix and match to further obfuscate things. For example:
do exactly the same thing.
You'll find that ping, tracert, and whatnot do the same thing. Why?
'Cause the inet_addr() function, which everyone uses to convert the string
to and address, was written by C programmers... <g>
There's pretty a similar threat as is posed by escaped characters in URLs
or other strings sent to HTTP servers or browsers. Mainly that software
that should be understanding the string doesn't, because it looks "funny".
For example, your filtering software might be fooled by the syntax.
Frankly though, other than filtering software, I don't see much threat.
-Robert
At 02:28 PM 11/21/01 -0500, Kristopher Labe wrote:
>Hello SecurityNuts, here's a fun one -
>
>I just ran across something today that freaked me out. I work for an ISP as
>a Network Admin, and I handle some customer service. I get weird emails all
>the time but this one was just too much. I don't have the original e-mail
>anymore but I do have the scribbles I made trying to figure it out, see what
>you think, and tell me WHY this works.
>
>The link is just some porn spam, so view it if you choose.
>
>
>>http://0321.0206.044.034/
>
>
>That's the URL the e-mail had in it and just out of curiosity, I clicked on
>it and to my suprise, it sent me to a real web page. I don't know if the
>page is down now or what, but you can try. This is what I came up with after
>racking my brains for about 2 hours..
>
>It's in octal. I guess that's what the leading 0 on each octet means:
>
> 8^2=64 8^1=8 8^0=1
>321 = 3x64 + 2x8 + 1x1 = 209
>206 = 2x64 + 0x8 + 6x1 = 134
>44 = 0x64 + 4x8 + 4x1 = 36
>34 = 0x64 + 3x8 + 4x1 = 28
>
>Real address is 209.134.36.28
>
>Why does your browser understand and Octal formatted IP address, and could
>this propose any serious threat to your browser, or anything on your system
>for that matter?
>
>// Kristopher Labe /
>/ WebDev / Network Administration /
>/ Joust.net / PaISP //
>
>
- Previous message: Matthew.van.Eerde@hbinc.com: "RE: Weird URL's that work, can you say IPvOctal?"
- In reply to: Kristopher Labe: "Weird URL's that work, can you say IPvOctal?"
- Next in thread: J. Reilink: "Re: Weird URL's that work, can you say IPvOctal?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
