Vulnerability Development mailing list archives
RE: sometimes IIS 4.0 don't write logs.
From: Pablo Aravena <p.aravena () bysecure com>
Date: Thu, 20 Dec 2001 09:48:45 -0400
The problem looks like this: CMD /K [command] Execute a command and "still active" CMD /C [command] Execute a command and then finished. If you execute a cmd.exe?/k request this would be in active state until his finished this process instead of the cmd.exe?/c request that finishes the process inmediatly. Because of this the IIS that´s not log the process that has not come to an end. Atentamente, Pablo Aravena Martínez Consultor de Seguridad BYSECURE CSE S.A. PGP FingerPrint: 4109 41C1 A295 75D8 F159 D542 96C5 5E6D 2B08 F28A http://www.bysecure.com mailto:p.aravena () bysecure com
-----Mensaje original----- De: ThEye [SMTP:theye () 350cc com] Enviado el: jueves, 20 de diciembre de 2001 0:39 Para: vuln-dev () securityfocus com CC: ndr113 () 350cc com Asunto: sometimes IIS 4.0 don't write logs. <Hi: I don't know if this problem is documented but i didn't find anything about it anywhere. The problem is the following one: + Problem: When I was playing with "Microsoft IIS and PWS Extended Unicode Directory Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the attacker uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c) ,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability) sometimes don't write logs of the attacker's activity. + Implications: If an attacker uses this vulnerability to crack a web page or anything, eventually no tracks will exist on the attacked server. + Final: In PROBLEM I said "sometimes" because after a high number of requests to "cmd /k" , IIS 4.0 write logs of some requests, still I don't know when and why IIS 4.0 write logs of the "cmd /k" request. Anyone that can confirm or refute this please post it. + Exploit: I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed ( without any patch ). http://server.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/k+dir http://server.com/scripts/..%c0%af../winnt/system32/cmd.exe?/k+dir http://server.com/msadc/..%c1%pc../winnt/system32/cmd.exe?/k+dir http://server.com/msadc/..%c0%af../winnt/system32/cmd.exe?/k+dir Result: No tracks on log files. + More Information: 1) Microsoft IIS and PWS Extended Unicode Directory Transversal http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=1806 2) Microsoft Patch prmcan4i http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/EN-U S/prmcan4i.exe Roberto Alamos M. (theye () 350cc com) www.350cc.com
Current thread:
- sometimes IIS 4.0 don't write logs. ThEye (Dec 19)
- <Possible follow-ups>
- RE: sometimes IIS 4.0 don't write logs. Pablo Aravena (Dec 20)
- RE: sometimes IIS 4.0 don't write logs. ThEye (Dec 20)