[Snort-devel] Unicode Directory Transversal

Todd Lewis tlewis at ...120...
Wed Jan 10 09:57:57 EST 2001


I have not looked at this part of snort, and so it would take me a
while to do this, but our guys here say that they could really use it.
If someone could get this problem fixed, then we at SecureWorks would
be appreciative.

--
Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz

On 9 Jan 2001, Jason Larsen wrote:

> Sorry if this has already been dealt with.  (I've been behind on the
> mailing list).
> 
> The Unicode directory transversal detection needs some more values put
> in the table.  As I understand it, IIS without the patch applies first
> hex decoding, then permissions, and then unicode mapping.  The bug comes
> from the order.  If someone encodes ../../..  etc into a url using
> unicode characters, the request still passes permission, but can be
> pointed at an arbitrary file.
> 
> In a ../../ style attack you can encode either the '.' or the '/'.  With
> IIS a "/" is equivalent to a "\".
> 
> The following are the valid unicode translations for IIS 5.0 standard US
> english version.
> 
> "."
> %c0%ae
> %d0%ae
> 
> "/" or "\"
> %2f%2f
> %2f%5c
> %5c%2f
> %5c%5c
> %c0%af
> %c1%9c
> %d0%af
> %d1%9c
> 
> 
> Snort currently just checks for c0,c1,e0,f0,f8, and fc.  It is possible
> to scan a system for the Unicode Directory Transversal bug using, for
> instance,
> one of the %d0%xx mappings for either the period or the slash and not
> generate a snort altert.
> 
> I have tried all of the above combinations and they all work to exploit
> the vulerability.
> 
> 
> Jason Larsen
> larsjw at ...189...
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel
> 





More information about the Snort-devel mailing list