From malmassari@hotmail.com Fri Apr 20 20:32:05 2001 Date: Thu, 19 Apr 2001 09:32:15 From: Majid Almassari To: project@honeynet.org Subject: Majid Almassari Scan14. Scan 14: -------- On 4 Feb, 2001, the system 213.116.251.162 successfully attacked and compromised the honeypot 172.16.1.106. otherwise known as lab.wiretrip.net. We have reason to believe that the attacker knew this was a honeypot. However we decided to release this challenge as it examplifies the most common of NT attacks found in the wild. Your only source of information is the snort binary log file that captured the entire attack. You will have to extract and analyze the information from this binary log file. ------------------------------------------------------------------------ 1. Which exploit(s) were used to attack the system? Answer: The first exploit is the IIS Unicode exploit. The second exploit is RDS MSADC DataFactory exploit. Information about both exploits can be obtained from www.wiretrip.net/rfp The first exploit is explained in IIS %c1%1c bug. The string %C0%AF as well as %C1%9C are overlong Unicode representations for ^Ñ/^Ò and ^Ñ\^Ò respectively. The second exploit is explained in the Knowledge Base; RFP9902: IIS/RDS Advisory. -------------- 2. How were the exploits used to access and control the system? Answer: The IIS Unicode exploit was obtained by GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../boot.ini The Unicode attack was carried out to find the %systemroot% from boot.ini in preparation for the next exploit since knowledge of %systemroot% is needed to perform the database query (dbq). It can also be used to execute commands. The second exploit is done by using GET /msadc/msadc.dll/ActiveDataFactory.Query Select * from customer where city = ^Ñ|shell(^Ócmd /c echo werd >> c:\fun ^Ó) |^Ò driver={ Microsoft Access Driver (* .mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb ; --!ADM!ROX!YOUR!WORLD!^× Note that you must have a DSN on the system in order for the exploit to work. btcustmr.mdb is a default MS Access Database that comes with MS Option Pack 4. This exploits basically allow you to pipe any command you like through SQL Queries. The attacker was able to use IIS Unicode exploit to execute ftp retrieval commands to get NetCat installed on the system and connect to the lab box on port 6969 and 6968. --------------- 3. What was done once access was gained? Answer: - The attacker downloaded samdump.dll, pdump.exe, and nc.exe. successfully from 213.116.252.162 which the FTP banner says that it is a Windows 95 box (Release Candidate 1) P33 with 16 MB RAM, this is obviously misleading because you can tell from the browser client headers that the attacker got MS Office installed; good luck running this thing on a P33 with 16MB. samdump.dll and pdump are components of the famous password cracker L0phtCrack. nc.exe is NetCat the well known hacker swiss army knife. - Attacker makes a copy of MS-DOS Command Prompt cmd.exe in c:\Program Files\Common Files\system\msadc\cmd1.exe - Attacker tries to dump passwords using pdump.exe to a file c:\yay.txt. - Attacker Browsed through several folders c:\exploits, c:\inetpub\wwwroot, c:\wiretrip. - Attacker used net users, net session, net group, net localgroup to enumerate users and groups on the lab system. - Attacker creates a file called README.NOW.Hax0r saying "hi, I know that this is a lab server, but patch the holes! :)" - Attacker successfully adds IUSR_KENNY (Internet Guest Account) and IWAM_Kenny (Web Application Manager's Account) to the Local Administrators Group using MSADC DataFactory. - Attacker attempted to dump SAM Repair content c:\winnt\repair\sam._ to c:\har.txt. - Attacker Places a test.txt file stating ^Ó This can^Òt be true^Ô in wwwroot. - Attacker uploads whisker.tar.gz (A cool Scanner, I hope its not version 2) to 213.116.252.162. -------------- 4. How Could this attack been prevented? Answer: The following patches if installed would of prevented the attack: - For the IIS Unicode exploit, see Microsoft MS00-057: File Permission Canonicalization Vulnerability. - For RDS MSADC DataFactory, see Microsoft MS98-004: unauthorized ODBC Data Access with RDS and IIS. MS99-025: Unauthorized Access to IIS Servers through ODBC Data Access with RDS. ---------------- 5. How much time did you spend on this analysis and writeup? Answer: About 30 hours. A lot of the time was spent reading and understanding related advisories and exploits. ---------------- Bonus Question: Do you feel that the attacker in question knew if this was a honeypot? if so, why or why not? Answer: I strongly believe that the attacker knew that this was a honeypot. First, he admit it by creating a file rfp.txt stating "best honeypot I^Òve seen till now :)". Second, He was trying to delete files that were locked by other processes which I think rose his suspicion. Finally, he was browsing through an exploit folder of various Operating systems, which might made him ask the question of whether or not the owner already knew About the existing vulnerabilities. --------------- References: 1. RFP Labs. IIS %c1%1c Bug URL: http://www.wiretrip.com/rfp 2. RFP9902 IIS/RDS Advisory, RFP Labs Knowledge Base. URL: http://www.wiretrip.com/rfp 3. Microsoft Security Bulletin, Unauthorized Access to IIS Servers through ODBC Data Access with RDS. MS99-025. 4. RDP Labs, RDS Exploit version 2. URL http://www.wiretrip.com/rfp _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com