From matt@westpoint.ltd.uk Fri Apr 20 20:30:19 2001 Date: Thu, 12 Apr 2001 15:05:49 +0100 From: Matt Moore To: project@honeynet.org Subject: scan of the month - April Hello, My entry for this month is below. Feedback: I thought there was a bit of overlap between questions 1,2 and 3 - they could really have been one question. I particularily liked the bonus question - I don't believe I've answered it correctly, but I had fun trying to figure it out. Scan of the Month #14 - April, 2001 =================================== The Challenge ============= On 4 Feb. 2001, the system 213.116.251.162 successfully attacked and compromised the honeypot 172.16.1.106, otherwise known as lab.wiretrip.net. We have reason to believe that the attacker knew this was a honeypot, however we decided to release this challenge as it examplifies the most common of NT attacks found in the wild. Your only source of information is the snort binary log file that captured the entire attack (MD5=511e652c8f0d69978ca5048725b0df73). You will have to extract and analyze the information from this binary log file. Remember, entries will not only be judge on your answers, but how easy they are to read, and if you show how you obtained/conducted your analysis. Summary: Attack Duration: 13:25:22 -> 13:28:17 The attacker browses the lab.wiretrip.net web server which appears to be a guestbook page for RFP's site. At approximately 13:25 he exploits a directory traversal vulnerability (using his browser) to read the 'win.ini' file from the NT web server. He then exploits the RDS vulnerability using RFP's msadc.pl script to create a text file on the server, and then views the text file through his browser, via the previous exploit. Detailed answers: 1.Which exploit(s) were used to attack the system? ================================================== The first vulnerability that the attacker exploits is known as the 'Extended Unicode Directory Traversal' vulnerability, as shown in the snort log: 47 45 54 20 2F 67 75 65 73 74 2F 64 65 66 61 75 GET /guest/defau 6C 74 2E 61 73 70 2F 2E 2E 25 43 30 25 41 46 2E lt.asp/..%C0%AF. 2E 2F 2E 2E 25 43 30 25 41 46 2E 2E 2F 2E 2E 25 ./..%C0%AF../..% 43 30 25 41 46 2E 2E 2F 62 6F 6F 74 2E 69 6E 69 C0%AF../boot.ini The second is the RDS Vulnerability (http://www.wiretrip.net/rfp/p/doc.asp?id=3&iface=2), as shown in the snort logs: 50 4F 53 54 20 2F 6D 73 61 64 63 2F 6D 73 61 64 POST /msadc/msad 63 73 2E 64 6C 6C 2F 41 64 76 61 6E 63 65 64 44 cs.dll/AdvancedD 61 74 61 46 61 63 74 6F 72 79 2E 51 75 65 72 79 ataFactory.Query The tool used to exploit the RDS vulnerability is called msadc.pl which uses the string '!ADM!ROX!YOUR!WORLD!' as a mime separator: 21 41 44 4D 21 52 4F 58 21 59 4F 55 52 21 57 4F !ADM!ROX!YOUR!WO 52 4C 44 21 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 RLD!..Content-Ty 2.How were the exploits used to access and control the system? ============================================================== The Unicode Directory traversal vulnerability was used to read files outside of the web root. The RDS exploit was used to a execute a command via cmd.exe 3.What was done once access was gained? ======================================= The unicode directory traversal exploit was used initially to read the win.ini file from the server, and later to read a file from the c: drive (the 'fun' text file which the attacker created). The RDS exploit was used to execute the command 'echo werd >> c:\fun' which created a file on the C: drive containing the string 'werd'. 4. How could this attack been prevented? ======================================== By applying the appropriate security patches from Microsoft. 5.How much time did you spend on this analysis and writeup? =========================================================== 10 minutes analysis 10 minutes write-up Bonus Question: Do you feel that the attacker in question knew if this was a honeypot? If so, why or why not? I would say that the attacker knew the machine was a honeypot. I think this because: 1) He's very quick to exploit these particular vulnerabilities and does not 'poke around' - almost as though he knows the server will be vulnerable. 2) The attacker doesn't seem to be making a concerted effort to take control of the machine - he doesn't clean the log files or try to escalate his privelige, rather he spends his time amusing himself by creating a text file with one vulnerabiity and reading it with another. Like he says, fun.