From jshirk@roguish.org Wed Feb 14 19:13:54 2001
Date: Mon, 5 Feb 2001 16:55:21 -0600
From: Jeremiah J. Shirk <jshirk@roguish.org>
To: project@honeynet.org
Subject: February Scan of the Month

#
# SCAN OF THE MONTH #12:  February, 2001
#
# Challenge to see who can determine which tool was used 
# and the purpose of this attack.  Packet decodes using snort 
# (http://www.snort.org).

Hmm, it looks like the tool in this case is IE 5.01 on Win95. :)

### QUESTION 1:  What is the operating system of the honeypot, how do you know? 

The honeypot is running NT 4.0, based on the TTL, the window size, the
TOS, and the fact that it's running IIS 4.0

### QUESTION 2:  What is the name of this attack?

This attack is known by several names.  Some of them are:

Microsoft IIS 4.0 / 5.0 Extended UNICODE Directory Traversal Vulnerability
CVE-2000-0884
"Web Server Folder Traversal" Vulnerability (MS00-078)

### QUESTION 3:  What is the attack attempting to accomplish?

Presumably, the attacker wishes to determine whether this server is
vulnerable to the attack (as well as get a directory listing of C:). 

### QUESTION 4:  How does the attack work?

IIS fails to check for UNICODE encoding of '/', so that while a request of:

 GET /msadc/../../../../../../winnt/system32/cmd.exe?/c+dir+c:\

should be rejected, the following request is (incorrectly) allowed:

 GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

Note that once the UNICODE encoding is converted, the requests are
effectively identical.

BONUS QUESTION:  Is it possible to gain remote control of the system
                 using this technqiue?  If so, how?

In a sense, yes, it would be possible for the attacker to remotely control
the system, by using (for example) tftp, ftp, or samba to upload his/her
tools of choice.  However, the code executed by the attack runs in the
security context of the IUSR_machinename account, which by default is
similar to any ordinary user with an account on the system.  Of course, it
may be possible for the attacker to use this wedge into the system to
escalate privilege for total remote control. 

-jjs

-- 
----------------------------------------------------------------------
Jeremiah J. Shirk, CISSP                            jshirk@roguish.org
----------------------------------------------------------------------