Microsoft IIS - Possible authentication flaw?
From: root@synopse.homeip.netDate: 05/27/02
- Previous message: Peter Boutzev: "Re: DirectX 9 SDK, Microsoft have got balls...."
- Next in thread: ZeroBreak: "RE: Microsoft IIS - Possible authentication flaw?"
- Reply: ZeroBreak: "RE: Microsoft IIS - Possible authentication flaw?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 May 2002 20:37:03 -0000 From: <root@synopse.homeip.net> To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is)
Greetings,
I was playing around with Microsoft IIS 5.1 when I noticed
something very weird. If you go to a directory which has
basic authentication enabled, and enter the string: %1p as
the login, it will put this into the event logs under the
system subsection:
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 100
Date: 14/05/2002
Time: 2:21:35 PM
User: N/A
Computer: WINDOWS
Description:
The server was unable to logon the Windows NT account
'%
1ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppp' due to the
following error: %2 The data is the error code.
For additional information specific to this message please
visit the Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00 ....
(Note: The p after %1 can be any character it seems. I just
used %1p as my
example.)
---If you enter the string: %2 as the login, it will also put this into the event logs under the system sub section:
Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 14/05/2002 Time: 2:24:20 PM User: N/A Computer: WINDOWS Description: The server was unable to logon the Windows NT account 'Logon failure: unknown user name or bad password. ' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 ....
--
If you repeat %2, or %1p it will produce longer entries in the event logs, depending on how many times you wish to repeat it. I've been playing with this for a while now, and it only appears that %2 and %1 (followed by a character) will cause these weird entries in the event logs. I tested this on Windows XP Pro with all updates and patches, running IIS 5.1.
Georgi Guninski confirmed that this format strings "flaw" is present in Windows 2000 with IIS 5.0, as well as the Microsoft FTP service.
I've given up on playing around with this "flaw", so I'm posting it to vuln-dev to let other people have a chance and see what else can be found.
Cheers, 0x00
- Previous message: Peter Boutzev: "Re: DirectX 9 SDK, Microsoft have got balls...."
- Next in thread: ZeroBreak: "RE: Microsoft IIS - Possible authentication flaw?"
- Reply: ZeroBreak: "RE: Microsoft IIS - Possible authentication flaw?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
