From dkwan@ca.ibm.com Wed Feb 14 19:12:45 2001 Date: Tue, 30 Jan 2001 16:57:10 -0500 From: Derek Kwan To: project@honeynet.org Subject: Scan of the month (scan12) [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] QUESTIONS: ---------- ### QUESTION 1: What is the operating system of the honeypot, how do you know? WindowsNT with IIS 4.0. How? From the "Session Breakout File":- 1) HTTP return header -> Microsoft-IIS/4.0 2) Contents of the data in return (in this case Dir C:\) you can see a WINNT directory (However, the above still can be faked... if someone wants to... Maybe a closer look at the TCP DUMP and try to figure out the Seq numbers, TTL etc to do more OS Fingerprinting can identify the target OS) ### QUESTION 2: What is the name of this attack? RDS Vulnerability (?) ### QUESTION 3: What is the attack attempting to accomplish? The attacker is trying to use Microsoft Internet Explorer 5, enter a carefully crafted URL http:///msadc/..À¯../..À¯../..À¯../winnt/system32/cmd.exe?/c+dir+c:\ in order to exploit the RDS Vulnerability. However the "..À¯.." I have no idea what they are for at this moment. And seems like the server is executing "cmd.exe /c dir c:\" (/c option is for CMD.exe carries out the command specified by string and then terminates.) This execute a DIR C:\ for directory listing.... How can I tell the attacker is running IE 5? Well the HTTP request header gives out the info:- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) This look like is a plain IE, not a branded IE (e.g MSN version) otherwise you will ave something like the following eh:- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95; msnca) The attacker machine is config as US English Accept-Language: en-us otherwise it could look something like Canadian-English eh:- Accept-Language: en-ca However this can be fake too. (with the help of netcat and a simple text file...) Also seems like the attacker has been on this server (lab.wiretrip.net) atleast once. Why? Because the borwser has a cookie pass back to the server:- ASPSESSIONIDGQQQQQZU=KNOHMOJAKPFOPHMLAPNIFIFB ------------ ASP SESSION ID? Hummm.. sounds interesting..... Seems like ASP needs a ID to keep track of the session... (Maybe something to hack during spare time...) ### QUESTION 4: How does the attack work? According to some papers I have read (e.g. Rain Forest Puppy's advisory RFP9907) it has something to do with msadcs.dll there is a calls to VBA shell() function. BONUS QUESTION: Is it possible to gain remote control of the system using this technqiue? If so, how? Yea, sure, is IIS 4.0, possibility are unlimited. "Yours to Discover" For example, you could rewrite the index.html by doing something like cmd.exe /c echo Your site is H4Ck3D! > {root doc dir here}/index.html