Mailing List Archive: Nessus: devel

Unicode encoding in URL

Index | Next | Previous | View Threaded

arboi at noos

Feb 21, 2002, 2:24 AM

Post #1 of 4 (91 views)
Permalink

Unicode encoding in URL

Nessus already handled the hex encoding (*not* Unicode!)
e.g. instead of "GET /ABC/ ", send "GET /%41%42%43/ "

I added MS infamous non standard %u encoding in URL.
"GET /ABC/ " --> "GET /%u0041%u0042%u0043/ "

It seems that we could also send plain UTF-16. If I understand all
this correctly, this would just mean inserting a %00 before every
ASCII character and IIS will happily strip it.
"GET /%00%41%00%42%00%43/ "

I also added it but I'm not sure this would really work against
IIS... Can somebody test? (a colleague broke our favorite NT4 test
machine and did not reinstall it yet. The last Nessus session or
software installation was lethal :)

I suppose I could also add "broken UTF8"...

Reference: http://www.eeye.com/html/Research/Advisories/AD20010705.html

peak at argo

Feb 26, 2002, 6:18 PM

Post #2 of 4 (87 views)
Permalink

Re: Unicode encoding in URL [In reply to]

On 21 Feb 2002, Michel Arboi wrote:

> It seems that we could also send plain UTF-16. If I understand all
> this correctly, this would just mean inserting a %00 before every
> ASCII character and IIS will happily strip it.
> "GET /%00%41%00%42%00%43/ "

Checked this against (unpatched) IIS 5.0. Anything after the first %00
is be ignored.

BTW: It appears you can replace (non-initial) slashes with %u2044
(fraction slash), 0's with %u2080 (subscript zero) etc on IIS. IIS
processes these characters (in URI) with WideCharToMultibyte in a way
that attempts to approximate Unicode chars it gets in the current
codepage. Moreover, you can escape UTF-8 sequences (even broken ones)
with %u (e.g. %u00c1%u00b7) because %-escapes are removed in one pass
(IisRTL!STR__Unescape) and UTF-8 sequences in another (IisRTL!CanonURL).
IIS is wierd. :)

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

arboi at noos

Jul 19, 2002, 12:40 AM

Post #3 of 4 (88 views)
Permalink

Re: Unicode encoding in URL [In reply to]

[OK, that was a very old message :-]

Pavel Kankovsky <peak [at] argo> writes:

> On 21 Feb 2002, Michel Arboi wrote:

> > It seems that we could also send plain UTF-16. If I understand all
> > this correctly, this would just mean inserting a %00 before every
> > ASCII character and IIS will happily strip it.
> > "GET /%00%41%00%42%00%43/ "

> Checked this against (unpatched) IIS 5.0. Anything after the first %00
> is be ignored.

I was wondering... Shouldn't we remove this buggy "evasion tactics"?

--
mailto:arboi [at] bigfoot
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

peak at argo

Jul 20, 2002, 9:40 AM

Post #4 of 4 (89 views)
Permalink

Re: Unicode encoding in URL [In reply to]

On 19 Jul 2002, Michel Arboi wrote:

> [OK, that was a very old message :-]
>
> Pavel Kankovsky <peak [at] argo> writes:
>
> > On 21 Feb 2002, Michel Arboi wrote:
>
> > > It seems that we could also send plain UTF-16. If I understand all
> > > this correctly, this would just mean inserting a %00 before every
> > > ASCII character and IIS will happily strip it.
> > > "GET /%00%41%00%42%00%43/ "
>
> > Checked this against (unpatched) IIS 5.0. Anything after the first %00
> > is be ignored.
>
> I was wondering... Shouldn't we remove this buggy "evasion tactics"?

*shrug* Apparently, IIS is the first candidate when such a "creative"
interpretation of URLs is considered but it does not work with IIS. On the
other hand, I am certain engineers of Redmond as well as their buddies all
over the world are working hard to make their webserver even smarter than
they are today and some implementation interpreting UTF-16 might appear
soon.

I myself would probably remove the option from GUI (or mark it as "not
known to work with existing HTTP servers") but would keep the code.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads