From srbrown@appgeo.com Wed Feb 14 19:14:16 2001 Date: Mon, 12 Feb 2001 12:51:39 -0500 From: Sean Brown To: project@honeynet.org Subject: SCAN OF THE MONTH Answers # # SCAN OF THE MONTH #12: February, 2001 # # Challenge to see who can determine which tool was used # and the purpose of this attack. Packet decodes using snort # (http://www.snort.org). # # The packets were captured from the wild as part of the # Honeynet Project, http://project.honeynet.org QUESTIONS: ---------- Below is a specific probe/exploit ran against our honeypot, 172.16.1.106. As you read through these signatures, the challenge is to answer the following questions: ### QUESTION 1: What is the operating system of the honeypot, how do you know? The target server is running Windows NT. The results of the GET command to the target web server shows that the attack was used to generate a directory listing on the local drive of the target computer. The header information from the target servers response shows that it is Windows NT running IIS 4.0. The directory structure is consistent with this. The server also most likely has 64MB of physical RAM (pagefile = physical RAM + 11MB by default). The signature of the ACK packet sent from the target server is additional confirmation. It matches the signature of an NT Server as reported by the nmap_os_fingerprints file [1]. The Do Not Fragment bit is set, the Ack = Seq + 1, and the TCP options are echoed to the session initiator. ### QUESTION 2: What is the name of this attack? This attack is called the "Extended Unicode directory transversal vulnerability" [2] and [3]. ### QUESTION 3: What is the attack attempting to accomplish? This type of attack is used to run arbitrary code on the target IIS web server under the privilege of the IUSR_ account. This particular attack is attempting to get directory information from the target systems local drive. ### QUESTION 4: How does the attack work? A default installation of IIS with Unicode support enabled is vulnerable to directory transversal using unicode representations of certain characters. In this case, the character was the unicode representation of "/" with a unicode hex value of 0xc0af. The characters are noted in the packet trace below by the carets (^). Using this method, an attacker can traverse to the location of the command interpretor on the target system and execute arbitrary code. 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E C0 AF 2E GET /msadc/..... ^^ ^^ 2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../ ^^ ^^ ^^ ^^ 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 winnt/system32/c 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A md.exe?/c+dir+c: BONUS QUESTION: Is it possible to gain remote control of the system using this technqiue? If so, how? Yes. Since the IUSR_ account is a member of the groups EVERYONE and local USERS, and since by default the EVERYONE group has "FULL CONTROL" privileges to the entire local file system, it would be trivial to delete, rename, or copy importatn system files on the taqrget system drive. Also, it would be a simple matter to copy modified versions of system executables to the target server and wait for an administrator to execute one of tehse commands. This technique has been used to create user accounts, install backdoor programs and elevate privileges for local users on NT systems. Such a vulnerability would definitely leave the system open to remote access and control. References: [1] nmap_os_fingerprints file, NMAP, Fyodor, URL: http://www.insecure.org/nmap [2] Bugtraq ID 1806, URL: http://www.securityfocus.com [3] ArachNIDS ID IDS452, URL: http://whitehats.com/info/IDS452 -- ~~~~~~~~~~~~~~~ Sean R. Brown - srbrown@appgeo.com System Administrator Applied Geographics, Inc. Boston, MA