HTTP: Too Long UTF8 Code
This protocol anomaly triggers when it detects an HTTP request with an exceedingly long UTF8 codes. This can be an attempt to overflow a portion of the Web server, or that a script is being made available to the Web server.
Extended Description
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.
Affected Products
Microsoft iis
Short Name
HTTP:AUDIT:REQ-LONG-UTF8CODE
Severity
Info
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
CVE-2000-0884 bid:1806
Release Date
08/27/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Rarely
Vendors
Microsoft
CVSS Score
7.5