[Snort-devel] Unicode Directory Transversal

Martin Roesch roesch at ...48...
Thu Jan 18 02:13:31 EST 2001


I for one would like to see what you've got, the http_decode
preprocessor is close to needing a serious update to stay current with
all the hoops that HTTP can jump through.

   -Marty

Cobmail wrote:
> 
> You can just add them in spp_http_decode.c around line 246.  Although
> every letter of the alphabet has a c1 encoding.  It would be more sane
> to check both bytes for combinations of "/" and "." otherwise you'll
> get a million alters every time someone uses unicode for a legitimate
> purpose.
> 
> What would be even more sane is if we just modified the packet before we
> send it off to the detection engine. Then we could search for unicode
> encoded CGI scans and stuff.  I think I'll code something up next week
> if no one else has any objections.
> 
> I mapped out some of the unicode stuff by hand, but it changes with a
> number of service packs, languages installed, etc.  Does anyone have
> a comprehensive mapping?
> 
> /*begin modifications*/
> /*spp_http_decode.c around line 246*/
> 
>  temp = (nibble(*(index+1)) << 4) | nibble(*(index+2));
>                         if((
>                             /*these put in by Jason Larsen*/
>                             (temp == 0xd0) ||
>                             (temp == 0x2f) ||
>                             (temp == 0x5c) ||
>                             /*end of changes*/
> 
>                             (temp == 192) || /* c0 */
>        (temp == 193) || /* c1 */
>        (temp == 224) || /* e0 */
>        (temp == 240) || /* f0 */
>        (temp == 248) || /* f8 */
>        (temp == 252)) &&/* fc */
>         check_iis_unicode)
>   {
> 
> /*end modifications*/
> 
> Jason Larsen
> larsjw at ...189...
> 
> > I have not looked at this part of snort, and so it would take me a
> > while to do this, but our guys here say that they could really use it.
> > If someone could get this problem fixed, then we at SecureWorks would
> > be appreciative.
> >
> > --
> > Todd Lewis                                       tlewis at ...120...
> >
> >   God grant me the courage not to give up what I think is right, even
> >   though I think it is hopeless.          - Admiral Chester W. Nimitz
> >
> > On 9 Jan 2001, Jason Larsen wrote:
> >
> > > Sorry if this has already been dealt with.  (I've been behind on the
> > > mailing list).
> > >
> > > The Unicode directory transversal detection needs some more values put
> > > in the table.  As I understand it, IIS without the patch applies first
> > > hex decoding, then permissions, and then unicode mapping.  The bug comes
> > > from the order.  If someone encodes ../../..  etc into a url using
> > > unicode characters, the request still passes permission, but can be
> > > pointed at an arbitrary file.
> > >
> > > In a ../../ style attack you can encode either the '.' or the '/'.  With
> > > IIS a "/" is equivalent to a "\".
> > >
> > > The following are the valid unicode translations for IIS 5.0 standard US
> > > english version.
> > >
> > > "."
> > > 00x1.70a804006f464p+1e
> > > 13531858400x1.70a804006f464p+1e
> > >
> > > "/" or "\"
> > > 2.8693310.000000
> > > 2.869331    ?
> > >     h2.880127
> > >     h    d
> > > h00x1.70a804006f464p+1f
> > > h1        d
> > > 13531812000x1.70a804006f464p+1f
> > > 1353181201        d
> > >
> > >
> > > Snort currently just checks for c0,c1,e0,f0,f8, and fc.  It is possible
> > > to scan a system for the Unicode Directory Transversal bug using, for
> > > instance,
> > > one of the 13532341604006f464x mappings for either the period or the slash and not
> > > generate a snort altert.
> > >
> > > I have tried all of the above combinations and they all work to exploit
> > > the vulerability.
> > >
> > >
> > > Jason Larsen
> > > larsjw at ...189...
> > >
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-devel
> > >
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-devel
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list