From kf@wi.rr.com Wed Feb 14 19:13:34 2001 Date: Sun, 4 Feb 2001 14:24:48 -0600 (Central Standard Time) From: Karen Frederick To: project@honeynet.org Subject: Submission for Scan 12 challenge Hi! Thanks for doing these Scan of the Month challenges. I've done the last few, although I didn't submit anything because I knew I didn't have the answers... :) I've been learning so much by trying to figure out what the heck the scans are. Anyway, I appreciate the time that all of you take to make this possible. Thanks! Well, here's my submission for Scan 12. Let me know if you have any questions or comments about it... Karen ================================================================== SCAN OF THE MONTH #12: February, 2001 QUESTION 1: What is the operating system of the honeypot, how do you know? The honeypot is running Windows NT 4.0. The most obvious indication of this is the C:\ directory listing, which shows WINNT, boot.ini, Program Files and other things that we'd expect to see on an NT system. Also, it's running Microsoft IIS 4.0, which would normally run on NT 4.0. More subtle information supporting this is the server's packet characteristics: TTL of 128, DF set, window size of 0x2238 (decimal 8760), all of which fingerprint it as an NT system. (NT systems typically use a window size between 5000 and 9000 decimal). QUESTION 2: What is the name of this attack? Microsoft calls it the Web Server Folder Traversal vulnerability. Most other folks refer to it as the Unicode bug. QUESTION 3: What is the attack attempting to accomplish? It is attempting (successfully) to return a directory listing for C:\ on the IIS server. QUESTION 4: How does the attack work? The Snort logs show that the attacker first connects to the server's port 80 with a TCP three-way handshake. The attacker then enters a URL like this one: http://172.16.1.106/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/ cmd.exe?/c+dir+c:\ The significance of "..%c0%af../" is that "%c0%af" is a Unicode representation of "/". So "..%c0%af../" will be translated to "../../". By using this as part of a URL directed toward an unpatched IIS system, an attacker can traverse past the web root directory. There's a reason why msadc is used as the initial directory. In order for this exploit to work, the initial directory must exist and must have the execute attribute set. msadc is installed by default and normally has the execute attribute set, so it's a good choice. The attacker is attempting to execute "/winnt/system32/cmd.exe /c dir c:\" on the IIS server. We see the directory listing for c:\ in the session file, so the attack has been successful. BONUS QUESTION: Is it possible to gain remote control of the system using this technique? If so, how? This technique alone could not be used to gain remote control. The commands run with the privileges of the IUSR_machine account, which is part of the Everyone and Users groups. However, since the attacker can run various commands as a member of these groups, he or she could utilize this technique as part of an attempt to exploit other vulnerabilities that are accessible through membership in these groups.