From andre.boucher@ec.gc.ca Wed Feb 14 19:14:03 2001 Date: Tue, 06 Feb 2001 14:18:23 -0500 From: Andre Boucher To: project@honeynet.org Subject: Scan of the Month - February. [ Part 1, Text/PLAIN 44 lines. ] [ Unable to print this part. ] Hi, This attack is called "Web Server Folder Traversal vulnerability". Seehttp://www.securiteam.com/windowsntfocus/Web_Server_Folder_Traversal_vulnerabil ty__Patch_available__exploit_.html for the whole information about the attack. Question 1: The Honeypot runs Windows NT, because this attack is made for Microsoft IIS V4.0 and 5.0. Also, the name of the directory listed during the attack says WINNT. The attacker seams to be using Internet Explorer to drive the attack because of the target URL refering to MSIE5.0. Question 2: Web Server Folder Traversal vulnerability Question 3: The attacker tries to run the command "cmd.exe \c dir c:\" . This will give the listing of the root directory of the system. Question 4: Taken from the web page mentionned previously: Due to a canonicalization error in IIS 4.0 and 5.0, a particular type of malformed URL could be used to access files and folders that lie anywhere on the logical drive that contains the web folders. This would potentially enable a malicious user who visited the web site to gain additional privileges on the machine - specifically, it could be used to gain privileges commensurate with those of a locally logged-on user. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it. The request would be processed under the security context of the IUSR_machinename account, which is the anonymous user account for IIS. Within the web folders, this account has only privileges that are appropriate for untrusted users. However, it is a member of the Everyone and Users groups and, as a result, the ability of the malicious user to access files outside the web folders becomes particularly significant. By default, these groups have execute permissions to most operating system commands, and this would give the malicious user the ability to cause widespread damage. Customers who have proactively removed the Everyone and Users groups from permissions on the server, or who are hosting the web folders on a different drive from the operating system, would be at significantly less risk from the vulnerability. Bonus question: I am not sure about this. You can always run commands one after another with the same type of attack to move files, run program but without the GUI. The question is: Do you have remote contron of a Windows NT when you do not have the GUI. If the answer is yes, then yes, you can consider that you have remote control of this system.