Security Incidents mailing list archives

Web Server Folder Traversal

From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Tue, 27 Feb 2001 14:52:57 -0500

Hello,

This question may have a very easy answer, but I don't know what it is, and
I am a little stumped.  Following the recent thread about NT compromises due
to the unicode folder traversal vulnerability, I decided to double check my
servers.  And lo and behold, I found one that was vulnerable, however, the
MS patch Q269862 has been applied to it.  I am thinking WTF?  So, I look
through the logs, and see the following:

11:21:01 212.36.0.230 - 172.17.1.4 GET
/msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c
+"dir%20c:\" 200 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) -
11:21:15 212.36.0.230 - 172.17.1.4 GET
/msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c
+"dir%20c:\winnt\system32\logfiles\" 200 80
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) -
11:21:24 212.36.0.230 - 172.17.1.4 GET
/msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c
+"dir%20c:\winnt\system32\logfiles\W3SVC1\" 200 80
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) -
11:21:42 212.36.0.230 - 172.17.1.4 GET
/msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c
+"type%20c:\winnt\system32\logfiles\W3SVC1\ex001210.log" 502 80
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) -

Looks like someone has tried to take advantage of it yesterday.  But I am
pretty sure that I should not be seeing the Unicode characters in the logs.
In the logs it should be showing up as
/msadc/../../../../../../winnt/system32/whatever.exe.  So, I do a default
installation of IIS just to confirm:

19:09:19 10.1.1.62 GET /msdac/../../../../../../winnt/system32/cmd.exe 404
19:09:27 10.1.1.62 GET /scripts/../../../../../../winnt/system32/cmd.exe 200

Yep, that's indeed the case, then why am I seeing the above in the logs, and
why am I still vulnerable, even though the patch is applied?  Could this be
perhaps related to the order the patches were applied, or is there some
other dependency?  This is NT4 SP5, with almost all the released security
patches, or so I thought....

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C

Current thread:

Web Server Folder Traversal Portnoy, Gary (Feb 28)
- Re: Web Server Folder Traversal Chris Keladis (Feb 28)