RE: Unicode Attack

From: Information Security (InformationSecurity@federatedinv.com)
Date: 11/15/02


From: Information Security <InformationSecurity@federatedinv.com>
To: "'nick@virus-l.demon.co.uk'" <nick@virus-l.demon.co.uk>, incidents@securityfocus.com
Date: Fri, 15 Nov 2002 13:50:46 -0500


> > Web log entries:
> >
> > 2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET
> > /scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
> > 31 HTTP/1.1 63.241.137.233
> > Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -
> >
>
> That server should not be vulnerable to the Unicode URL encoding
> directory traversal trick seen above. It seems you have a "safe" box
> and are getting all worried because your IDS saw something that
> ...

Whoooooooooooaaaaa...there's no question that this server IS vulnerable and
WAS successfully "recon"d, Jeremy provided all the evidence you need with
the single log entry. IIS logs like this are very rich with information.
Take a closer look at the log entry
/scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
And break it down into parts:

/scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe
They asked for access to cmd.exe

/c+dir
They wanted cmd.exe to do a "dir" command and return immediately (no
interaction)

200
The server returned an HTTP "200" OK to what they wanted. RED FLAG!! No
doubt about it, someone successfully sent arguments to cmd.exe and it
returned data. I can't imagine any scenario where you can get a 200 and NOT
have control of cmd.exe (unless it's a honeypot cmd.exe).

1849
This is the win32 return code, and a 0 here would indicates success; quite
honestly, I'm not sure what the 1849 is from (can anyone help with this
one?)...It might be from the "dir" command, or it might represent the
typical error "this page did not return a properly formatted header. The
headers it did return are..."

321 31
This helps to confirm: you can see that 321 bytes were sent back to the
client in response to the 31 byte request.

There's some other good info we can get from this log entry:

Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
means that whatever they're using for recon is probably using the built-in
IE object and not crafting the http stream. Perl and command line tools
usually don't include the "User-Agent" in the http header. Assuming they're
not using a sophisticated tool that inserts a bogus user agent, it looks
like they're running an older version of Windows 2000, possibly unpatched.

 - -
Don't forget the blank entries, they're just as important. The first one is
the cookie--if Jeremy's site uses cookies to track user sessions (the
typical IIS setup), we know that this is the first time the user has been
here recently (again, assuming they're typing the URL into IE). The second
blank is for the http referrer--in this case, it's blank, it doesn't give
you anything, but when it's not blank for an attack, it might help you find
an attacker that's hiding behind a proxy.

It's obvious thorugh testing that IIS does a single URL decode of the string
before logging it, and it makes perfect sense to do that. But I'm still
interested in knowing whether SNORT does--I wouldn't expect it to, and maybe
it's not SNORT itself, but one of the actual presentations or storage
mechanisms.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Outlook RPC over HTTp deosnt work
    ... try to use RPC over HTTP to connect the Exchange Server. ... What SBS is running on the problematic Server? ...
    (microsoft.public.windows.server.sbs)
  • Re: RPC over HTTP
    ... I will help you with the PRC over Http issue in this thread. ... and go through the Internet option. ... On the Web Server Certificate page shows. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: RPC over HTTP
    ... Are there any other ways of configuring the RPC over HTTP? ... Outlook Web Access, Business Website and so on. ... On the Web Server Certificate page shows. ...
    (microsoft.public.windows.server.sbs)
  • Re: MSAS Licensing Part II
    ... wish to use http access then you must have Enterprise Edition. ... PTS looks at the server name. ... You will note that all of this is totally transparent to the client. ...
    (microsoft.public.sqlserver.olap)
  • Re: RPC over HTTP Question
    ... allow specific traffic transfer and publish some web services to internet. ... On the Web Server Certificate page, ... The wizard automatically configures Exchange, IIS, and the RPC proxy ... >Subject: Re: RPC over HTTP Question ...
    (microsoft.public.windows.server.sbs)