Register now for SANS Cyber Defense Initiative 2016 and save $400.

IDFAQ: What are unicode vulnerabilities on Internet Information Server (IIS)?

Tom Rodriguez

A number of recent worms‚including the Red Worm, Red Worm II, and Nimda worm‚have exploited Unicode vulnerabilities in the IIS server in order to achieve phenomenal growth. This article will describe and examine these vulnerabilities.

There are two major vulnerabilities: the IIS/PWS Exetended Unicode Directory Traversal Vulnerability and the IIS/PWS Escaped Character Decoding Command Execution Vulnerability.

IIS/PWS Exetended Unicode Directory Traversal Vulnerability

The IIS/PWS Extended Unicode Directory Traversal vulnerability relies on the fact that Windows machines utilize an underlying code, called Unicode, in order to encode characters. A single Unicode character is encoded using two octets. In Internet Information Server (IIS) an ASCII character can be represented by a Unicode character by using the following representation:
Representation Value (ASCII)
%c0%af ‚/‚
%c1%9c ‚\‚
Normally, IIS checks URL strings to ensure that certain constructs do not occur. For example, the following string will be caught by the parser:

http://www.example.com/scripts/..\../winnt/system32/cmd.exe?/c+dir

Obviously, the requester is attempting to access some parent of the ‚/scripts‚ directory, and IIS catches this and returns an HTTP 404 - File not found response. However, when the exact same request is made in the following form:

http://www.example.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

The response is:

Directory of c:\inetpub\scripts
10/01/2001  03:46p      <DIR>          .
10/01/2001  03:46p      <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   2,527,547,392 bytes free
This vulnerability was originally described by an anonymous poster to the PacketStorm Windows mailinglist (on 10-OCT-2000, see http://209.100.212.5/cgi-bin/cbmc/forums.cgi?datopic=Windows&mesgcheck=defined&gum=474) and elaborated further by Rain Forest Puppy on Bugtraq (on 17-OCT-2000,