Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
Unicode encoding in URL
arboi at noos
Feb 21, 2002, 2:24 AM
Post #1 of 4 (807 views)
Permalink
Nessus already handled the hex encoding (*not* Unicode!)
e.g. instead of "GET /ABC/ ", send "GET /%41%42%43/ "

I added MS infamous non standard %u encoding in URL.
"GET /ABC/ " --> "GET /%u0041%u0042%u0043/ "

It seems that we could also send plain UTF-16. If I understand all
this correctly, this would just mean inserting a %00 before every
ASCII character and IIS will happily strip it.
"GET /%00%41%00%42%00%43/ "

I also added it but I'm not sure this would really work against
IIS... Can somebody test? (a colleague broke our favorite NT4 test
machine and did not reinstall it yet. The last Nessus session or
software installation was lethal :)

I suppose I could also add "broken UTF8"...

Reference: http://www.eeye.com/html/Research/Advisories/AD20010705.html
Re: Unicode encoding in URL [ In reply to ]
peak at argo
Feb 26, 2002, 6:18 PM
Post #2 of 4 (794 views)
Permalink
On 21 Feb 2002, Michel Arboi wrote:

> It seems that we could also send plain UTF-16. If I understand all
> this correctly, this would just mean inserting a %00 before every
> ASCII character and IIS will happily strip it.
> "GET /%00%41%00%42%00%43/ "

Checked this against (unpatched) IIS 5.0. Anything after the first %00
is be ignored.

BTW: It appears you can replace (non-initial) slashes with %u2044
(fraction slash), 0's with %u2080 (subscript zero) etc on IIS. IIS
processes these characters (in URI) with WideCharToMultibyte in a way
that attempts to approximate Unicode chars it gets in the current
codepage. Moreover, you can escape UTF-8 sequences (even broken ones)
with %u (e.g. %u00c1%u00b7) because %-escapes are removed in one pass
(IisRTL!STR__Unescape) and UTF-8 sequences in another (IisRTL!CanonURL).
IIS is wierd. :)

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
Re: Unicode encoding in URL [ In reply to ]
arboi at noos
Jul 19, 2002, 12:40 AM
Post #3 of 4 (786 views)
Permalink
[OK, that was a very old message :-]

Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> writes:

> On 21 Feb 2002, Michel Arboi wrote:

> > It seems that we could also send plain UTF-16. If I understand all
> > this correctly, this would just mean inserting a %00 before every
> > ASCII character and IIS will happily strip it.
> > "GET /%00%41%00%42%00%43/ "

> Checked this against (unpatched) IIS 5.0. Anything after the first %00
> is be ignored.

I was wondering... Shouldn't we remove this buggy "evasion tactics"?

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/
Re: Unicode encoding in URL [ In reply to ]
peak at argo
Jul 20, 2002, 9:40 AM
Post #4 of 4 (794 views)
Permalink
On 19 Jul 2002, Michel Arboi wrote:

> [OK, that was a very old message :-]
>
> Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> writes:
>
> > On 21 Feb 2002, Michel Arboi wrote:
>
> > > It seems that we could also send plain UTF-16. If I understand all
> > > this correctly, this would just mean inserting a %00 before every
> > > ASCII character and IIS will happily strip it.
> > > "GET /%00%41%00%42%00%43/ "
>
> > Checked this against (unpatched) IIS 5.0. Anything after the first %00
> > is be ignored.
>
> I was wondering... Shouldn't we remove this buggy "evasion tactics"?

*shrug* Apparently, IIS is the first candidate when such a "creative"
interpretation of URLs is considered but it does not work with IIS. On the
other hand, I am certain engineers of Redmond as well as their buddies all
over the world are working hard to make their webserver even smarter than
they are today and some implementation interpreting UTF-16 might appear
soon.

I myself would probably remove the option from GUI (or mark it as "not
known to work with existing HTTP servers") but would keep the code.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal