From Denis.Ducamp@hsc.fr Wed Feb 14 19:11:50 2001 Date: Tue, 30 Jan 2001 04:35:27 +0100 From: Denis Ducamp To: Lance Spitzner Cc: project@honeynet.org, Denis Ducamp , Stephane Aubert Subject: Re: Honeynet Project reminders and updates [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] On Mon, Jan 29, 2001 at 06:04:21PM -0600, Lance Spitzner wrote: > 3. Scan of the Month, February > ------------------------------- > New Scan of the Month has been released > > http://project.honeynet.org/scans/scan12/ 1) What is the operating system of the honeypot, how do you know? All that I can say for 172.16.1.106 is that : . the windows is 8760 which may correspond to a solaris 2.6/2.7 the mss is 1460 which is OK for a solaris the DF is present which is OK for a solaris but the ttl is 127 whereas it should be 64/255 for a solaris Those data are from the p0f.fp file from http://dione.ids.pl/p0f-1.7.tgz I know that those data should correspond only to the first SYN but I hope that the second SYN isn't too far ;-) . is not a linux 2.4 kernel because the packet has the DF bit and a ID != 0. Because I was told that last solaris have a null ID for DF packets (not verified myself), the system on the honeypot may be a solaris 2.6/2.7 with a modified ttl. But in fact, after viewing the results from last scan it's easy to see that the SynAck packet are the same : windows, mss, DF and ttl. In this same file (p0f.fp) there is a windows NT 4 with ttl=128 mss=1460 DF=1 and window=8192 which is close to the packet too. So my response is a Windows NT server. For 128.173.37.135 it is easier : this is a windows but not w2k because diff between ID are multiple of 256 (512 and 256). 2) What is the name of this attack? This attack is based on the Unicode Bug. From http://packetstorm.securify.com/0010-exploits/iis-unicode.txt : It seems the values of %c0%af and %c1%9c work for IIS 5. Curiousity getting the better of me, I tried it on IIS 4. Uh oh, works there too. So is it UNICODE based? Yes. %c0%af and %c1%9c are overlong UNICODE representations for '/' and '\'. And the same sort of URL is given in this paper : http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ So the request becomes : GET /msadc/../../../../../../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1 and \winnt\system32\cmd.exe get executed with the parameters /c dir c:\ 3) What is the attack attempting to accomplish? This attack attempt to get the listing of c:\ In fact this attack verifies if this server is vulnerable to the unicode bug. 4) How does the attack work? It works by foolish the filter in IIS that verify that the user doesn't try to use .. directories to go over the real root web server or an alias directory. But this filter doesn't know about unicode and think that this is the file cmd.exe in the directory system32 in the directory winnt in the directory ..%c0%af.. in the directory ..%c0%af.. in the directory ..%c0%af.. in the directory /msadc so to him there isn't any security risk. But IIS knows about unicode when it access ../../../../../../winnt/system32/cmd.exe at the file system level from /msadc so it accesses \winnt\system32\cmd.exe , supposing that the attacker entered enough ..%c0%af.. to go up to the root directory. Because it's permitted to execute programs in /msadc and that IIS think that you are accessing a subdirectory of /msadc, then cmd.exe is executed and following parameters are passed to cmd.exe. Because the first parameter given to cmd.exe is /c , the second is the command executed by cmd.exe and others are parameters for that command. Bonus) Is it possible to gain remote control of the system using this technqiue? If so, how? To gain the control of an vulnerable IIS server, you just have to change the parameters given to the cmd.exe command (here dir+c:\) separated by + signs in place of spaces to change the command that will be executed... Denis Ducamp. PS : the fact that the server returned the content of c:\ prouved that the HoneyPot is vulnerable and made me change my reply to question 1 from solaris to NT. PPS : oups it's very late... -- Denis.Ducamp@hsc.fr --- Hervé Schauer Consultants --- http://www.hsc.fr/ snort, hping & dsniff en français : http://www.groar.org/~ducamp/#sec-trad Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html Netiquette Guidelines .... http://www.pasteur.fr/infosci/RFC/18xx/1855