From Chad.Johnston@wcom.com Wed Feb 14 19:13:06 2001 Date: Thu, 01 Feb 2001 11:33:22 -0700 From: Chad Johnston To: project@honeynet.org Subject: Scan of the month [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] I would like to offer my solution for this month's scan. I don't know if I need to follow certain steps to become a "Member of the Honeynet Project" or not, but I'll go ahead and send you my answers now, and take appropriate steps as necessary. ------------------------------------------------------ #1. What is the operating system of the honeypot, how do you know? This appears to be either Windows NT 4.0, or Windows 2000 due to the server identifying itself as IIS/4.0, and the fact that the attempted exploit is IIS specific. #2. What is the name of this attack? According to the Microsoft Security Bulletin (MS00-078), this is called a "Web Server Folder Traversal" attack. Rain Forest Puppy called it the "IIS %c1%c1" attack on his website and in the BugTraq alert. It appears to be a variant method of the "File Permission Canonicalization" exploit that takes advantage of Unicode characters. #3. What is the attack attempting to accomplish? This particular instance of the attack appears to be trying to get a directory listing of C:. #4. How does the attack work? This attack takes advantage of the fact that the Unicode characters "C0" and "AF", which represent the "/" character, are decoded at the wrong time by IIS. Therefore, even if the spurious ../'s are removed by IIS, they reappear once the Unicode has been decoded. BONUS: Is it possible to gain remote control of the system using this technique? If so, how? It's not normally possible to gain remote control with this exploit. This exploit differs from "File Permission Canonicalization" in that any code executed will run under the anonymous IIS account and is subject to whatever permissions and pollicies are applied to that particular account. ----------------------------------------------------------- I realize that my answers are probably woefully incomplete. Even if I'm not on the right track, I did manage to learn quite a bit while researching the exploit. Chad Johnston Sunset Group Limited (719) 535-6284 cjohnston@sunsetgroup.com Chad.Johnston@wcom.com