On Wed, 19 Sep 2001, Dave Ahmad wrote: | This seems to be just be another way to exploit the double decode | vulnerability (Bugtraq ID 2708). There is a possibility that it may be a | new issue due to the use of '%u' method of encoding. It does not look | that way to us. | | <snip> | | Has anyone managed to exploit a patched system? Unfortunately, I have. I noticed a few weeks back that our network at work was periodically getting extremely slow, and after a bit of investigation utilizing tcpdump, it turned out our NT4 webserver (running IIS4 with all up-to-date security patches) was being used to pingflood various hosts with the exact exploit mentioned in the advisory which started this thread. The IIS logs showed what translated into the following: http://target/scripts/..%u005c..%u005cwinnt/system32/cmd.exe?/c+ping+ ... etc Baffled, I double-checked to make sure the decode vuln. patch had been installed, and it was indeed there. After trying to reapply the patch, I figured IIS just wasn't taking the patch and did a stopgap fix using some file renaming and guest access permission-removal tricks. The machine in question is being upgraded to Win2k server very soon anyway, so the stopgap was good enough for the past few weeks. I suppose my assumption that there was a problem with our IIS4 installation (causing the hotfix not to work) may have been incorrect after reading this advisory. Your mileage may vary :) -- Paul McGovern http://isles.krad.org
