[Snort-devel] Unicode Directory Transversal

Cobmail larsjaso at ...193...
Wed Jan 10 12:29:42 EST 2001


You can just add them in spp_http_decode.c around line 246.  Although 
every letter of the alphabet has a c1 encoding.  It would be more sane
to check both bytes for combinations of "/" and "." otherwise you'll 
get a million alters every time someone uses unicode for a legitimate 
purpose.

What would be even more sane is if we just modified the packet before we
send it off to the detection engine. Then we could search for unicode
encoded CGI scans and stuff.  I think I'll code something up next week
if no one else has any objections.

I mapped out some of the unicode stuff by hand, but it changes with a 
number of service packs, languages installed, etc.  Does anyone have
a comprehensive mapping?

/*begin modifications*/
/*spp_http_decode.c around line 246*/

 temp = (nibble(*(index+1)) << 4) | nibble(*(index+2));
                        if((
			    /*these put in by Jason Larsen*/
			    (temp == 0xd0) || 
			    (temp == 0x2f) || 
			    (temp == 0x5c) || 
			    /*end of changes*/
			    
			    (temp == 192) || /* c0 */
       (temp == 193) || /* c1 */
       (temp == 224) || /* e0 */
       (temp == 240) || /* f0 */
       (temp == 248) || /* f8 */
       (temp == 252)) &&/* fc */
        check_iis_unicode)
  {

/*end modifications*/


Jason Larsen
larsjw at ...189...

> I have not looked at this part of snort, and so it would take me a
> while to do this, but our guys here say that they could really use it.
> If someone could get this problem fixed, then we at SecureWorks would
> be appreciative.
> 
> --
> Todd Lewis                                       tlewis at ...120...
> 
>   God grant me the courage not to give up what I think is right, even
>   though I think it is hopeless.          - Admiral Chester W. Nimitz
> 
> On 9 Jan 2001, Jason Larsen wrote:
> 
> > Sorry if this has already been dealt with.  (I've been behind on the
> > mailing list).
> > 
> > The Unicode directory transversal detection needs some more values put
> > in the table.  As I understand it, IIS without the patch applies first
> > hex decoding, then permissions, and then unicode mapping.  The bug comes
> > from the order.  If someone encodes ../../..  etc into a url using
> > unicode characters, the request still passes permission, but can be
> > pointed at an arbitrary file.
> > 
> > In a ../../ style attack you can encode either the '.' or the '/'.  With
> > IIS a "/" is equivalent to a "\".
> > 
> > The following are the valid unicode translations for IIS 5.0 standard US
> > english version.
> > 
> > "."
> > 00x1.70a804006f464p+1e
> > 13531858400x1.70a804006f464p+1e
> > 
> > "/" or "\"
> > 2.8693310.000000
> > 2.869331    �
> >     h2.880127
> >     h    d
> > h00x1.70a804006f464p+1f
> > h1        d
> > 13531812000x1.70a804006f464p+1f
> > 1353181201        d
> > 
> > 
> > Snort currently just checks for c0,c1,e0,f0,f8, and fc.  It is possible
> > to scan a system for the Unicode Directory Transversal bug using, for
> > instance,
> > one of the 13532341604006f464x mappings for either the period or the slash and not
> > generate a snort altert.
> > 
> > I have tried all of the above combinations and they all work to exploit
> > the vulerability.
> > 
> > 
> > Jason Larsen
> > larsjw at ...189...
> > 
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-devel
> > 
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel






More information about the Snort-devel mailing list