RE: Unicode Attack

From: James C Slora Jr (Jim.Slora@phra.com)
Date: 11/15/02

• Previous message: Palmer, Justin: "RE: Unicode Attack"
• In reply to: Information Security: "RE: Unicode Attack"
• Next in thread: Nick FitzGerald: "Re: Unicode Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "James C Slora Jr" <Jim.Slora@phra.com>
To: "Information Security" <InformationSecurity@federatedinv.com>, <incidents@securityfocus.com>
Date: Thu, 14 Nov 2002 18:19:59 -0500

Looking for some enlightenment. Comments and question inline.

Information Security wrote Wednesday, November 13, 2002 1:27 PM
> > 2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET
> > /scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
> > 31 HTTP/1.1 63.241.137.233
> > Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -

> It's been my experience that the actual URL probably sent to your server
was
> /scripts/..%255c../..%255c../..%255cwinnt/system32/cmd.exe?/c+dir. If you
> type that into your browser, you'll probably have success.

This fits my experience exactly. The attack performed from a browser or
script uses %255c.. but Snort always logs it as %5c.

> You would see this entry on any proxy device in front of the web server.
> IIS and Snort (IMHO) appropriately run a single URL decode on the
> request, which pretty much follows URI RFC specs, so that's not really a
bug.

Are you saying that Snort has performed one level of Unicode translation
before it creates its hex-level packet dumps? This seems to fit the output,
but it contradicts the expectation that Snort is displaying exactly what was
on the wire in hex format.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Palmer, Justin: "RE: Unicode Attack"
• In reply to: Information Security: "RE: Unicode Attack"
• Next in thread: Nick FitzGerald: "Re: Unicode Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Please Help - Strange problem with my servers - Locked out ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ... (comp.unix.bsd.freebsd.misc) Re: Please Help - Strange problem with my servers - Locked out ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ... (comp.security.firewalls) Re: Is snort an overkill for desktop only environment ? ... The answer to your question probably depends on what level of security ... One way to save money and management overhead with Snort might be to ... Another option is to install it on a small, ... Securing Apache Web Server with thawte Digital Certificate ... (Security-Basics) RE: Any ideas? ... this time the first two Packets from Snort show the third part of the TCP ... because the attacker allready knows your server ... These are entries from my Snort IDS logs and my firewall logs for the IP ... (Security-Basics) RE: Any ideas? ... this time the first two Packets from Snort show the third part of the TCP ... because the attacker allready knows your server ... These are entries from my Snort IDS logs and my firewall logs for the IP ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-11