Re: Suspicious IIS Log entry

From: Sean Earp (smearp_at_mac.com)
Date: 09/09/03

  • Next message: Joey Peloquin: "RE: Suspicious IIS Log entry" 
    Date: Tue, 9 Sep 2003 14:58:53 -0700
To: Toby Schau <Toby.Schau@iacudiv.state.ia.us>

    Toby-

    Someone was trying to remotely spawn a windows shell. I will
    completely screw up the name of the exploit (you can read all about it
    in "Web Hacking; Attacks and Defense" by Stuart McClure (President/CTO
    of Foundstone)
    <http://www.amazon.com/exec/obidos/tg/detail/-/0201761769/102-7385223-
    3402512?v=glance&vi=reviews>, so I won't even try, but the way it works
    is as follows;

    When attempting to hack into a computer that is protected by a
    firewall, let's say that you (as a good administrator), have faithfully
    firewalled every port except 80 (HTTP)...

    The hacker requests a URL that (by design) specifies the location of
    the file he is looking for. Your firewall will allow the request
    through because it is a legitimate HTTP request, through port 80 (which
    is open). Your IIS web server is configured to let anyone access the
    /scripts/ directory, because it has (I would assume) some useful script
    that makes your web page function.

    By sending the URL
    http://www.whatever.com/scripts/..\\../winnt/system32/cmd.exe The
    hacker is requesting that the computer access the scripts directory,
    and then (using your good old DOS commands) moves up a directory or
    two, then into your winnt/system32/ directories, and runs (in this
    case) cmd.exe. Once he has cmd.exe running, he can do pretty much
    anything he wants on your computer, with full administrative priveliges.

    Most good web servers will not allow such an activity (for obvious
    reasons). A legitimate user should only be able to access the content
    provided by the web server, and nothing outside. SO, hackers came up
    with a smart way around this limitation...

    URL characters can be represented in more than one way (see RFC 1738 at
    http://www.ietf.org/rfc/rfc1738.txt?number=1738)... The original
    intent was to allow non-printable or control characters to be input via
    their ASCII/Hex/decimal/octal/etc. representations. Run a google
    search on URL obfuscation and you will find a million pages explaining
    the concept (ie http://www.pc-help.org/obscure.htm). Unfortunately,
    this functionality has been abused by spammers and hackers in ways that
    were not originally intended. But back to the matter at hand...

    IIS is (and was) smart enough to realize that <
    http://www.whatever.com/scripts/..\\../winnt/system32/cmd.exe> is a
    dangerous command/URL, and will not allow it. BUT if the request for
    the URL was re-written as:

    <http://www.whatever.com/scripts/..%5c%5c../winnt/system32/cmd.exe>
    (technically a valid URL), early versions of IIS would NOT consider the
    URL to be dangerous, because it doesn't really look like the
    "dangerous" URL above. The URL would be accepted and processed, and
    VOILA! The hacker had spawned a command shell on the web server, all
    through a simple URL.

    Microsoft found and fixed this problem, and hackers (almost
    immediately) found a way around it. They simply encoded the encoded
    portion of the URL. Therefore, IIS is looking for ..\\.. (bad) and
    ..%5c%5c.. (bad), but was NOT looking for (..%255c%255c..) which, once
    resolved, traversed the scripts directory and wreaked its havoc.

    Good news for you, as evidenced by the IIS log file, IIS is new enough
    to have recognized and refused this request, exploiting a fairly old
    problem. If you ever want to UN-obfuscate a URL, check out
    <http://www.samspade.org> which has a link un-obfuscator (in the case
    of this URL, you would have to run it through twice to get the final
    (bad) URL.

    Hopefully this makes some sense (and I HIGHLY recommend the book I
    mentioned at the beginning for more information on the principles of
    web-hacking).

    -Sean

    On Tuesday, September 9, 2003, at 09:42 AM, Toby Schau wrote:

    > I found the following suspicious entries in my IIS log files. Does
    > anyone
    > recognize the specific vulnerabilities that are attempted to be
    > exploited?
    > [ex030809.log (20)] : 2003-08-09 05:14:10 xxx.xx.xx.xx- xx.xx.xx.xx 80
    > GET
    > /default.ida
    > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > XXXXX
    > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > XXXXX
    > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > X%u90
    > 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
    > 090%u
    > 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 -
    >
    > [ex030908.log (201)] : 2003-09-08 06:31:02 xx.xxxxx.xxx -
    > xxx.xx.xxx.xx 80
    > GET /<Rejected-By-UrlScan>
    > ~/scripts/..%255c%255c../winnt/system32/cmd.exe
    > 404 -
    > Thanks

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------

  • Next message: Joey Peloquin: "RE: Suspicious IIS Log entry"