From billp@boarder.org Wed Feb 14 19:13:38 2001 Date: Mon, 05 Feb 2001 11:21:49 -0800 From: Bill Pennington To: project@honeynet.org Subject: Scan of the month - Febuary ### QUESTION 1: What is the operating system of the honeypot, how do you know? The OS of the Honeypot is Windows NT. We know this because the MSDAC is a well know Microsoft IIS component. ### QUESTION 2: What is the name of this attack? This is the well known IIS unicode attack. ### QUESTION 3: What is the attack attempting to accomplish? Remote execution of code on the web server. ### QUESTION 4: How does the attack work? By sending unicode characters in an HTTP request the attacker exploits a bug in IIS path checking. IIS checks the path BEFORE translating the unicode strings. This enables attackers to send GET request formatted like GET /msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ which will execute a "dir" command on the c:\ drive. BONUS QUESTION: Is it possible to gain remote control of the system using this technique? If so, how? Assuming this is an NT server that has not been properly hardened, a complete compromise of the server would not be to difficult. The basic steps would be: 1. Upload (using ftp or tftp) a remote shell program, like netcat. 2. Execute netcat to give yourself access to the command prompt over the network. 3. At this point you only have IUSR_SERVER access to the system but you can then leverage this access to further elevate your privileges. There are numerous ways to go about this including, grabbing the SAM database from the repair directory and cracking the administrators password, downloading other "local only" exploits, or installing sniffing programs to capture username/password pairs. or You can also use this exploit to gain system level access. http://www.eeye.com/html/Advisories/IISHack1.5.html -- Bill Pennington - CISSP