0100,0100,0100eg., /scripts/../command.com .. except in unicode it would be
something like /scripts/Lucida Console0xc00x8A0xc00x8A0100,0100,0100Arial/command.com
this is the iis5 unicode directory traversal vulnerability documented
by Microsoft patch numbers Lucida ConsoleMS00-057 and MS00-078 and
0100,0100,0100Arialrecently exploited to crack Microsoft's network.
Unicode vulnerabilities were raised in the Lucida ConsoleJuly 20000100,0100,0100Arial issue of
Crypto-Gram and followed up extensively in the Lucida ConsoleAugust 2000
issue.0100,0100,0100Arial
Stuart
------- Forwarded message follows -------
Date sent: 0000,0000,8000Mon, 30 Oct 2000 11:53:32 -0600
Send reply to: 0000,0000,8000H D Moore <<[email protected]>
From: 0000,0000,8000H D Moore <<[email protected]>
Subject: 0000,0000,8000Re: IIS Unicode Question
Originally to: 0000,0000,8000Critical Watch Bugtraqqer <<[email protected]>
To: 0000,0000,8000[email protected]
You can still gain access to the system drive by requesting files
from
a virtual directory that is mapped there:
/msadc
/iisadmpwd
/iisadmin
/scripts
/cgi-bin
/iisamples
etc...
Critical Watch Bugtraqqer wrote:
7F00,0000,0000>
> Leon--
> Started looking at some of the .gov sites that he has recently
> broken into. Did a request for nonexistantfile.idq ... many of them
> have their websites on separate drives from the system drive. Did
> they move the websites after the fact/hack? Hard to tell. Gut check?
> Probably not. Therefore, the Unicode hole would not be effective
> and his claim still stands that he has a gnu hole.
0100,0100,0100------- End of forwarded message -------
--- [adminz]
* Origin: alerts, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:58
search: