The NSFOCUS Security Panel found that IIS 4.0 and IIS 5.0 exist in a security vulnerability in the implementation of Unicode character decoding.
A user can perform any command remotely through IIS. When IIS opens a file, if the file name contains Unicode
Character, it will decode it, if the user provides some special coding, will cause IIS errors to open or execute
Live files other than some web root directory.
For the IIS 5.0 / 4.0 Chinese version, a special coding is included in the file name received by the URL request received, for example, "% C1% HH"
Or "% C0% HH", which will first decode it into: 0xc10xhh, then try to open this file, Windows system
It is considered that 0xc10xhh may be Unicode encoding, so it will first decode it, if 0x00 <=% HH <0x40,
The decoded format used is similar to the following format:
% C1% HH -> (0xc1 - 0xc0) * 0x40 0xhh
% C0% HH -> (0xc0 - 0xc0) * 0x40 0xhh
Therefore, using this coding, we can construct a lot of characters, for example:
% C1% 1C -> (0xc1 - 0xc0) * 0x40 0x1c = 0x5c = '/'
% C0% 2F -> (0xc0 - 0xc0) * 0x40 0x2f = 0x2f = '/'
An attacker can use this vulnerability to bypass the path check of IIS, perform or open any file.
(1) If the system contains an executable directory, any system command may be performed. The following URL may
List the contents of the current directory:
http://www.victim.com/scripts/..
