[Snort-devel] Unicode Directory Transversal

Jason Larsen larsjw at ...189...
Tue Jan 9 17:39:40 EST 2001


Sorry if this has already been dealt with.  (I've been behind on the
mailing list).

The Unicode directory transversal detection needs some more values put
in the table.  As I understand it, IIS without the patch applies first
hex decoding, then permissions, and then unicode mapping.  The bug comes
from the order.  If someone encodes ../../..  etc into a url using
unicode characters, the request still passes permission, but can be
pointed at an arbitrary file.

In a ../../ style attack you can encode either the '.' or the '/'.  With
IIS a "/" is equivalent to a "\".

The following are the valid unicode translations for IIS 5.0 standard US
english version.

"."
%c0%ae
%d0%ae

"/" or "\"
%2f%2f
%2f%5c
%5c%2f
%5c%5c
%c0%af
%c1%9c
%d0%af
%d1%9c


Snort currently just checks for c0,c1,e0,f0,f8, and fc.  It is possible
to scan a system for the Unicode Directory Transversal bug using, for
instance,
one of the %d0%xx mappings for either the period or the slash and not
generate a snort altert.

I have tried all of the above combinations and they all work to exploit
the vulerability.


Jason Larsen
larsjw at ...189...





More information about the Snort-devel mailing list