iis 5 %00 null weirdness

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: locating default signal handler for SIGSEGV"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln-dev@securityfocus.com
Date: Thu, 11 Dec 2003 11:15:38 -0800

lo all,
While playing with IIS I was messing around with the old school webhits vuln, i tried injecting some null characters to see
how it would respond. To my surprise I all of a sudden got the web page I requested, (not the source just the page). But
the images were all broken, this obviously piqued my interested so i viewed the info of the page.
When requesting an asp page (or aspx), such as
http://iisserver/iisstart.asp%00/%00/%00/
you'll notice the image file now contains the path:
http://iisserver/iisstart.asp%00/%00/%00/pagerror.gif
Any link from the asp page requested will have the null bytes injected into its path.
It isn't just nulls either you can basicalyl (after the first one) inject any string:
http://iisserver/iisstart.asp%00/%2e%2e/
Shows the broken image as having the path:
http://iisserver/iisstart.asp%00/%2e%2e/pagerror.gif
Now i assume this isn't normal behaviour but my questions are:
A. Why is this happening?
and
B. Is there anyway we can take advantage of this?

I tried the obvious stuff like movign the pagerror.gif outside the webroot, and it still showed up
as a broken image so i assume the %00 is causing the %2e%2e to not *actually* break the web root.
Any thoughts folks?
-wire

Everyone has a plan until they get hit.

--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: locating default signal handler for SIGSEGV"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]