[Snort-devel] Unicode Directory Transversal
tlewis at ...120...
Wed Jan 10 09:57:57 EST 2001
I have not looked at this part of snort, and so it would take me a
while to do this, but our guys here say that they could really use it.
If someone could get this problem fixed, then we at SecureWorks would
Todd Lewis tlewis at ...120...
God grant me the courage not to give up what I think is right, even
though I think it is hopeless. - Admiral Chester W. Nimitz
On 9 Jan 2001, Jason Larsen wrote:
> Sorry if this has already been dealt with. (I've been behind on the
> mailing list).
> The Unicode directory transversal detection needs some more values put
> in the table. As I understand it, IIS without the patch applies first
> hex decoding, then permissions, and then unicode mapping. The bug comes
> from the order. If someone encodes ../../.. etc into a url using
> unicode characters, the request still passes permission, but can be
> pointed at an arbitrary file.
> In a ../../ style attack you can encode either the '.' or the '/'. With
> IIS a "/" is equivalent to a "\".
> The following are the valid unicode translations for IIS 5.0 standard US
> english version.
> "/" or "\"
> Snort currently just checks for c0,c1,e0,f0,f8, and fc. It is possible
> to scan a system for the Unicode Directory Transversal bug using, for
> one of the %d0%xx mappings for either the period or the slash and not
> generate a snort altert.
> I have tried all of the above combinations and they all work to exploit
> the vulerability.
> Jason Larsen
> larsjw at ...189...
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel