Keeping an eye on network security

[InfoSec News <isn () C4I ORG>]

UNIX SECURITY --- December 07, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters

------------------------------------------------------------------------

Keeping an Eye on Network Security 
By Rik Farrow

A little over a year ago, Rain Forest Puppy published a rant about
hacker handles, along with a Perl script for exploiting IIS (Microsoft
NT) Web servers. The hacker handle rant went relatively unnoticed, but
the Perl script was eventually used to compromise thousands of IIS-
based sites. Recently, an anonymous posting to the packetstorm mailing
list may have touched off another firestorm that will be as serious as
Rain Forest Puppy's RDS exploit. Note that it turns out that that IIS
operators who had installed an older patch for Microsoft Security
bulletin MS00-057 will have already have prevented this new exploit.

Rain Forest Puppy's RDS exploit took advantage of problems that
existed in a database service included in Option Pack 4 for NT.
Systems with this installed added the Remote Data Services, and these
services ran with Administrator group privileges, that is, commands
executed by this service had the same control over an NT system as the
Administrator.  Rain Forest Puppy's script would run rdisk to make a
copy of the SAM (System Accounts Manager) file containing password
hashes, and move this copy to the directory containing the root of the
Web directory.  The attacker could then download the SAM, and use
l0phtcrack to guess passwords matching those in the stolen SAM. Note
that this example is relatively tame, as many people altered the
original scripts to do other things as Administrator.

The new exploit does not give the attacker the same access as
Administrator, but rather can be used to view files, directories, and
execute commands as the same user as IIS, IUSR_system, where system is
the Web server?s hostname. While not as devastating as the RDS
exploit, the ability to execute arbitrary commands on someone else's
Web server has the potential for creating great havoc. Exploits have
appeared on Bugtraq for downloading the executable of your choice, and
remotely launching it. For example, remote access to cmd.exe running
as the user IUSR_system can set up using tftp.exe and a version of
netcat (ncx.exe)  that starts a command shell and listens to a
designated port.

The exploit only works against IIS 4 and 5, not against Apache Web
servers. Web servers in general permit the execution of programs or
scripts stored in configured directories, scripts under IIS and
cgi-bin under Apache (by default). Proper coding of these scripts or
programs is critical, as remote Web users will be executing them
routinely. But, through a flaw in how directory names as converted
(canonicalized), attackers can send Unicode versions of / or \
surrounded by pairs of dots (as in .../... to specify a directory two
levels up). The ability to use pairs of dots to ascend directory
levels allows the attacker to reach other, normally not permitted
directories, such as \winnt\system32, where cmd.exe, copy.exe, and
tftp.exe can be found.

Operators of IIS Web servers should have already installed MS00-057,
which would have fixed this bug. However, anecdotal evidence suggests
that this is not the case. The number of variations of this attack
that have already appeared, including techniques for getting around
restrictions on executing pipes (<|>) to extend the original exploits,
abound. And Robert Graham, CEO of NetworkICE, has reported large
numbers of reports from customers seeing URLs containing the Unicode
characters used in these exploits (look for ...%c0%af../winnt in Web
server logs, as even Apace Web servers are likely to be probed for
this vulnerability).

The last time an easily exploitable bug appeared in IIS (RDS), it was
several months before exploits became widespread, peaking in November,
with individual peaks on Sundays. IIS defacements peaked in November
of 1999, again early this summer, but dropped somewhat in late summer
due to the discover of the format string exploit appearing on many
Linux Web servers. I expect the trend in exploiting NT Web servers to
peak again soon, unless the unlikely happens. That is, all operators
of IIS quickly install the patch and secure their Web servers.


About the author(s)
----------------
Rik Farrow provides Unix and Internet security consulting and
training.  He has been working with Unix system security since 1984,
and with TCP/IP networks since 1988. He has taught for the IRS,
Department of Justice, NSA, US West, Royal Canadian Mounted Police,
Swedish Navy, and for many US and European user groups. Farrow also
consults with firms in the design and implementation of security
applications.

----------------------------------------------------------------------
ADDITIONAL RESOURCES

RDS Exploit and Rant by Rain Forest Puppy
http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2

More vulnerabilities in Microsoft's IIS
http://www2.itworld.com/cma/ett_content_article/0,2849,1_1025,00.html

The SeOS security blanket 
Product filters device & file access system calls, scrutinizes them for 
malicious behavior.
http://www.sunworld.com/sunworldonline/swol-07-1996/swol-07-security.html

Real hackers go to Usenix 
An informal look at the Usenix 9th Security Symposium 
http://www.sunworld.com/sunworldonline/swol-11-2000/swol-1117-security.html

-----------------------------------------------------------------------
COMMUNITY DISCUSSIONS

Robert Toxen, author of Real World Linux Security:Intrusion
Prevention, Detection and Recovery, boasts an impressive resume as a
writer, developer, creator, and software architect. Join Toxen and
Cameron Laird for a lively discussion on security, Linux hacking,
open-source development, and more. Runs December 5 through 7.
http://www.itworld.com/jump/ecom_nl/forums.itworld.com/webx?14@@.ee6dd7c/0!skip=

Delve into the gory technical details of Web security in this
discussion for security pros (and newbies) of all stripes. Moderated
by Sandra Henry-Stocker and Dev Zaborav.
http://www.itworld.com/jump/unxadm_nl/forums.itworld.com/webx?14@@.ee6b67b/81!skip=33
-----------------------------------------------------------------------
http://www.itworld.com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".