TUCoPS :: Web :: IIS :: web4865.htm

IIS GET request can overwrite log file
20th Nov 2001 [SBWID-4865]
COMMAND

	 IIS GET request can overwrite log file

	 Citrix Metaframe request can overwrite log

SYSTEMS AFFECTED

	 IIS 4.0, 5.0

	 CITRIX Metaframe 1.8 (at least)

PROBLEM

	1; (One Semicolon) says [http://onesemicolon.cjb.net] :
	

	Log entries in  the  IIS  logfile  have  the  hex  codes  in  a  request
	translated to a character.
	 

	/index%2easp becomes /index.asp and is shown as that in the logfile.

	

	The problem is that %0A becomes translated to a  new  line  and  %FF  to
	what looks just like a space.  Using  these  two  you  can  successfully
	create two perfectly real looking log entries.
	 

	/index.asp%FF200%FFHTTP/1.1%0A00:52:11%FF198.116.142.34%FFGET%FF/evilplaces

	

	Here the request for /index.asp is ended with a 200 notice and  HTTP/1.1
	showing what version has been used HTTP wise. Then a new line  (%0A)  is
	started. At first I thought that getting the time right would  become  a
	difficult one. It turns out I was  wrong.  All  logging  is  done  using
	Greenwich time. All one needs to do is figure out the  current  time  in
	London and they are done. Then the IP of the person who you wish to  use
	follows. Then whatever you think they should be caught asking  for.  The
	%FF and %0A works when using  MS-DOS\'s  Edit.  To  make  this  work  in
	WordPad which more likely will be used to view logs,  replace  %FF  with
	%09.
	

	 UPDATE

	 =======

	

	Pedro Quintanilha reported that Citrix  Metaframe  is  also  vulnerable,
	based on following NT Event log format :
	

	

	=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

	=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

	=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

	Time: Wed Nov 21 09:37:00 2001

	User: MARCUS   Agent: metaframe2

	Source: Security   ID: 528   Type: Success Audit

	Successful Logon:

	 User Name: MARCUS

	 Domain:  NTDOMAIN

	 Logon ID:  (0x2,0x2959446E)

	 Logon Type: 2

	 Logon Process: User32 =20

	 Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

	 Workstation Name: WTS2

	 WinStation: ICA-tcp#245

	 Session ID: 245

	 Client Name: STATION2

	 Client Address: 192.168.0.44

	=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

	=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

	=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

	

SOLUTION

	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH