Information Security News mailing list archives
Keeping an eye on network security
From: InfoSec News <isn () C4I ORG>
Date: Fri, 8 Dec 2000 19:46:05 -0600
UNIX SECURITY --- December 07, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters ------------------------------------------------------------------------ Keeping an Eye on Network Security By Rik Farrow A little over a year ago, Rain Forest Puppy published a rant about hacker handles, along with a Perl script for exploiting IIS (Microsoft NT) Web servers. The hacker handle rant went relatively unnoticed, but the Perl script was eventually used to compromise thousands of IIS- based sites. Recently, an anonymous posting to the packetstorm mailing list may have touched off another firestorm that will be as serious as Rain Forest Puppy's RDS exploit. Note that it turns out that that IIS operators who had installed an older patch for Microsoft Security bulletin MS00-057 will have already have prevented this new exploit. Rain Forest Puppy's RDS exploit took advantage of problems that existed in a database service included in Option Pack 4 for NT. Systems with this installed added the Remote Data Services, and these services ran with Administrator group privileges, that is, commands executed by this service had the same control over an NT system as the Administrator. Rain Forest Puppy's script would run rdisk to make a copy of the SAM (System Accounts Manager) file containing password hashes, and move this copy to the directory containing the root of the Web directory. The attacker could then download the SAM, and use l0phtcrack to guess passwords matching those in the stolen SAM. Note that this example is relatively tame, as many people altered the original scripts to do other things as Administrator. The new exploit does not give the attacker the same access as Administrator, but rather can be used to view files, directories, and execute commands as the same user as IIS, IUSR_system, where system is the Web server?s hostname. While not as devastating as the RDS exploit, the ability to execute arbitrary commands on someone else's Web server has the potential for creating great havoc. Exploits have appeared on Bugtraq for downloading the executable of your choice, and remotely launching it. For example, remote access to cmd.exe running as the user IUSR_system can set up using tftp.exe and a version of netcat (ncx.exe) that starts a command shell and listens to a designated port. The exploit only works against IIS 4 and 5, not against Apache Web servers. Web servers in general permit the execution of programs or scripts stored in configured directories, scripts under IIS and cgi-bin under Apache (by default). Proper coding of these scripts or programs is critical, as remote Web users will be executing them routinely. But, through a flaw in how directory names as converted (canonicalized), attackers can send Unicode versions of / or \ surrounded by pairs of dots (as in .../... to specify a directory two levels up). The ability to use pairs of dots to ascend directory levels allows the attacker to reach other, normally not permitted directories, such as \winnt\system32, where cmd.exe, copy.exe, and tftp.exe can be found. Operators of IIS Web servers should have already installed MS00-057, which would have fixed this bug. However, anecdotal evidence suggests that this is not the case. The number of variations of this attack that have already appeared, including techniques for getting around restrictions on executing pipes (<|>) to extend the original exploits, abound. And Robert Graham, CEO of NetworkICE, has reported large numbers of reports from customers seeing URLs containing the Unicode characters used in these exploits (look for ...%c0%af../winnt in Web server logs, as even Apace Web servers are likely to be probed for this vulnerability). The last time an easily exploitable bug appeared in IIS (RDS), it was several months before exploits became widespread, peaking in November, with individual peaks on Sundays. IIS defacements peaked in November of 1999, again early this summer, but dropped somewhat in late summer due to the discover of the format string exploit appearing on many Linux Web servers. I expect the trend in exploiting NT Web servers to peak again soon, unless the unlikely happens. That is, all operators of IIS quickly install the patch and secure their Web servers. About the author(s) ---------------- Rik Farrow provides Unix and Internet security consulting and training. He has been working with Unix system security since 1984, and with TCP/IP networks since 1988. He has taught for the IRS, Department of Justice, NSA, US West, Royal Canadian Mounted Police, Swedish Navy, and for many US and European user groups. Farrow also consults with firms in the design and implementation of security applications. ---------------------------------------------------------------------- ADDITIONAL RESOURCES RDS Exploit and Rant by Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2 More vulnerabilities in Microsoft's IIS http://www2.itworld.com/cma/ett_content_article/0,2849,1_1025,00.html The SeOS security blanket Product filters device & file access system calls, scrutinizes them for malicious behavior. http://www.sunworld.com/sunworldonline/swol-07-1996/swol-07-security.html Real hackers go to Usenix An informal look at the Usenix 9th Security Symposium http://www.sunworld.com/sunworldonline/swol-11-2000/swol-1117-security.html ----------------------------------------------------------------------- COMMUNITY DISCUSSIONS Robert Toxen, author of Real World Linux Security:Intrusion Prevention, Detection and Recovery, boasts an impressive resume as a writer, developer, creator, and software architect. Join Toxen and Cameron Laird for a lively discussion on security, Linux hacking, open-source development, and more. Runs December 5 through 7. http://www.itworld.com/jump/ecom_nl/forums.itworld.com/webx?14@@.ee6dd7c/0!skip= Delve into the gory technical details of Web security in this discussion for security pros (and newbies) of all stripes. Moderated by Sandra Henry-Stocker and Dev Zaborav. http://www.itworld.com/jump/unxadm_nl/forums.itworld.com/webx?14@@.ee6b67b/81!skip=33 ----------------------------------------------------------------------- http://www.itworld.com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Keeping an eye on network security InfoSec News (Dec 11)