From jhorner@2jnetworks.com Wed Feb 14 19:13:50 2001 Date: Mon, 5 Feb 2001 16:23:19 -0500 From: J. J. Horner To: project@honeynet.org Subject: Scan of the Month Scan of the month: ### QUESTION 1: What is the operating system of the honeypot, how do you know? Windows NT 4 with IIS 4.0 installed. It has the WinNT file structure, and the server signature is IIS/4.0. ### QUESTION 2: What is the name of this attack? Microsoft IIS 4.0 / 5.0 Extended UNICODE Directory Traversal Vulnerability Probably used a string very similar to that below with the target changed. http://target/scripts/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir Definitely script kiddie, Using MSIE 5.01 on Win95. ### QUESTION 3: What is the attack attempting to accomplish? The purpose of the request was to get a listing of the c: directory. Possible uses for this scan is to see if the machine was vulnerable to the above Vulnerability. ### QUESTION 4: How does the attack work? There are major problems with how IIS interprets UniCode strings. By continuing to count the hex values for characters past the normal limit, one can trick an IIS server into interpreting the hex values as acceptable characters. The web server will follow the invalid paths to other areas, and therefore getting access to areas outside the document root. Once a kiddie gets access outside of document root and into the winnt/system32 directory and to the cmd.exe executable, he can cause the web server to execute commands. BONUS QUESTION: Is it possible to gain remote control of the system using this technqiue? If so, how? Yes. Once a kiddie finds that a server is vulnerable, he can send commands to the machine using this vulnerability. A kiddie can cause a web server to tftp transfer netcat to the local machine, cause the server to execute netcat and open up a port on the server for command-line access. I hope this fits the bill. -- J. J. Horner jjhorner@bellsouth.net Apache, Perl, mod_perl, Web security, Linux [ Part 2, Application/PGP-SIGNATURE 240bytes. ] [ Unable to print this part. ]