From gfk@logidac.com Wed Feb 14 19:11:42 2001 Date: Mon, 29 Jan 2001 21:43:53 -0500 From: Guillaume Filion To: project@honeynet.org Subject: Scan of the month [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Hi guys, Here's my try at the forensic and analysis of the Scan of the month #12. It's my first try at this kind of thing, so excuse my mistakes... Usually, the scans of the month are way over my head, but this one looked easier, so I gave it a try. ### QUESTION 1: What is the operating system of the honeypot, how do you know? The attacker thinks that it's WinNT (it's a WinNT attack) running IIS/ASP (the cookie name is ASPSessionID*). Since the attack worked, I guess the attacker was right... 8) The answer from the honeypot server says: Server: Microsoft-IIS/4.0 Passive TCP/IP Fingerprinting shows: TTL: 128 DF is on. Win: 0x2238 -> 8760 TOS: 0x0 The DB (http://project.honeynet.org/papers/finger/traces.txt) shows: Windows 9x/NT Intel 32 5000-9000 y 0 Windows 9x/NT Intel 128 5000-9000 y 0 Windows 2000 Intel 128 17000-18000 y 0 Every infos except DF looks like it's WinNT 4.0. ### QUESTION 2: What is the name of this attack? I think that M$ calls it "Web Server Folder Traversal" or "File permission canonicalization". ### QUESTION 3: What is the attack attempting to accomplish? It tries to execute the command "dir c:\" That is having the server send the attacker the content of the c drive's \ directory. ### QUESTION 4: How does the attack work? Here's a post from "rain forest puppy" relating to the vulnerability: http://packetstorm.securify.com/0010-exploits/iis-unicode.txt I found a nice summary at a Vuln-Dev archive, strangely, it's not available anymore at securityfocus' archive. http://archives.neohapsis.com/archives/vuln-dev/2000-q4/0255.html To summarise the summary, it tries to make the server execute the command "dir c:" However, just sending GET /../../winnt/system32/cmd.exe?c+dir+c:\ would not work because IIS blocks "../" if this is directed outside of the server scope. Someone clever found out that sending the Unicode for slash / (0xC0 0xAF) does not get catched by IIS. That way, the attacker is able to go snoop around about everywhere on the server. BTW, here is the request sent by the attacker: GET /msadc/....../....../....../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95) Host: lab.wiretrip.net Connection: Keep-Alive Cookie: ASPSESSIONIDGQQQQQZU=KNOHMOJAKPFOPHMLAPNIFIFB....APNIFIFB.... What is funny is that if you go to lab.wiretrip.net, you see that the site is called "rain forest puppy", which is the name of the guy who signed one of the posts I was talking about and also reported the vulnerability to Microsoft. You guys are funny! ### Bonus Question: Is it possible to gain remote control of the system using this technqiue? If so, how? As Bill Clinton's Attorneys would say, "This depends on your definition of 'remote control of the system'." ;-) However, as stated in Microsoft's advisory (http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp), "The vulnerability could potentially allow a visitor to a web site to take a wide range of destructive actions against it, including running programs on it." So I guess this fits in the definition fo "remote control of the system." Best, GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA [ Part 2, Application/PGP-SIGNATURE 229bytes. ] [ Unable to print this part. ]