| Monday May 30th 2016

Windows NT UNICODE Vulnerability Analysis

It can be argued that the main purpose for computer systems is fast and reliable communication from one system to another. How is that accomplished? What allows a computer running an English operating system to communicate with one running a Russian operating system? Both have different human readable alphabets. Both have different character representations for numbers. The answer is Unicode.

Unicode is a platform independent solution instituted by many major computer vendors to standardize character representation. What this means is that the English letter “A” can be mapped to its Russian, Japanese, French, etc. equivalent. A code is used to represent the alphanumeric digit. This code can be read by Unicode compliant software and converted to the proper character.


Internet Information Server 4.0/5.0 has the ability to interpret UTF-8 (Unicode Transformation Format 8-bit {encoding form}) into the character base being requested. UTF-8 allows for a Unicode scalar value (the Unicode representation of a character) to be formatted in a one to four byte sequence.

A vulnerability exists wherein a malformed URL (Uniform Resource Locater) containing malicious commands can be sent to an IIS server and be executed with the privileges of the IUSR_[machine_name] account. This is accomplished by issuing out a malformed URL containing a Unicode representation of “../../”. While IIS will perform a literal check to determine if a packet has “../../” embedded within the URL a packet containing the Unicode representation of “../../” will be passed as it does not match the comparison signature.

In essence IIS’s check routine is bypassed because IIS is expecting literal dot’s and slash’s as opposed to a Unicode representation – %c0%af. The vulnerability in essence is the old “../../” vulnerability.

Because the URL is passed to the system an attack packet containing the following information would be executed by the target system: (the URL below has been modified for clarity)

GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c HTTP/1.0\r\n\r\n

This URL allows for the issuer to get a directory listing of the requested directory in HTML format.

The URL can be modified to allow for code other than a directory listing to be executed. The exploit code introduced in this paper allows for the upload of two files – upload.asp and upload.inc. If write privileges are allowed in the specified directory the files will be written and accessible via a browser set to http://[target_server]/upload.asp.

The malformed URL contains a Unicode representation of “../” which corresponds to %c0%af in a hex dump of a sample attack packet. IIS does not process or strip the Unicode characters but rather passes them onto the Operating System. The “../” allows for the web root directory to be traversed

A Proof of Concept/Exploit Code is included in this document. The use of this code against an unprotected server may compromise it. Caution is advised when using the code in any environment (secured/research or production).

Read more…

Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.