Security Basics mailing list archives
Re: Suspicious IIS Log entry
From: Sean Earp <smearp () mac com>
Date: Tue, 9 Sep 2003 14:58:53 -0700
Toby-Someone was trying to remotely spawn a windows shell. I will completely screw up the name of the exploit (you can read all about it in "Web Hacking; Attacks and Defense" by Stuart McClure (President/CTO of Foundstone) <http://www.amazon.com/exec/obidos/tg/detail/-/0201761769/102-7385223- 3402512?v=glance&vi=reviews>, so I won't even try, but the way it works is as follows;
When attempting to hack into a computer that is protected by a firewall, let's say that you (as a good administrator), have faithfully firewalled every port except 80 (HTTP)...
The hacker requests a URL that (by design) specifies the location of the file he is looking for. Your firewall will allow the request through because it is a legitimate HTTP request, through port 80 (which is open). Your IIS web server is configured to let anyone access the /scripts/ directory, because it has (I would assume) some useful script that makes your web page function.
By sending the URL http://www.whatever.com/scripts/..\\../winnt/system32/cmd.exe The hacker is requesting that the computer access the scripts directory, and then (using your good old DOS commands) moves up a directory or two, then into your winnt/system32/ directories, and runs (in this case) cmd.exe. Once he has cmd.exe running, he can do pretty much anything he wants on your computer, with full administrative priveliges.
Most good web servers will not allow such an activity (for obvious reasons). A legitimate user should only be able to access the content provided by the web server, and nothing outside. SO, hackers came up with a smart way around this limitation...
URL characters can be represented in more than one way (see RFC 1738 at http://www.ietf.org/rfc/rfc1738.txt?number=1738)... The original intent was to allow non-printable or control characters to be input via their ASCII/Hex/decimal/octal/etc. representations. Run a google search on URL obfuscation and you will find a million pages explaining the concept (ie http://www.pc-help.org/obscure.htm). Unfortunately, this functionality has been abused by spammers and hackers in ways that were not originally intended. But back to the matter at hand...
IIS is (and was) smart enough to realize that < http://www.whatever.com/scripts/..\\../winnt/system32/cmd.exe> is a dangerous command/URL, and will not allow it. BUT if the request for the URL was re-written as:
<http://www.whatever.com/scripts/..%5c%5c../winnt/system32/cmd.exe> (technically a valid URL), early versions of IIS would NOT consider the URL to be dangerous, because it doesn't really look like the "dangerous" URL above. The URL would be accepted and processed, and VOILA! The hacker had spawned a command shell on the web server, all through a simple URL.
Microsoft found and fixed this problem, and hackers (almost immediately) found a way around it. They simply encoded the encoded portion of the URL. Therefore, IIS is looking for ..\\.. (bad) and ..%5c%5c.. (bad), but was NOT looking for (..%255c%255c..) which, once resolved, traversed the scripts directory and wreaked its havoc.
Good news for you, as evidenced by the IIS log file, IIS is new enough to have recognized and refused this request, exploiting a fairly old problem. If you ever want to UN-obfuscate a URL, check out <http://www.samspade.org> which has a link un-obfuscator (in the case of this URL, you would have to run it through twice to get the final (bad) URL.
Hopefully this makes some sense (and I HIGHLY recommend the book I mentioned at the beginning for more information on the principles of web-hacking).
-Sean On Tuesday, September 9, 2003, at 09:42 AM, Toby Schau wrote:
I found the following suspicious entries in my IIS log files. Does anyone recognize the specific vulnerabilities that are attempted to be exploited? [ex030809.log (20)] : 2003-08-09 05:14:10 xxx.xx.xx.xx- xx.xx.xx.xx 80 GET/default.idaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 -[ex030908.log (201)] : 2003-09-08 06:31:02 xx.xxxxx.xxx - xxx.xx.xxx.xx 80 GET /<Rejected-By-UrlScan> ~/scripts/..%255c%255c../winnt/system32/cmd.exe404 - Thanks
---------------------------------------------------------------------------Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
Current thread:
- Suspicious IIS Log entry Toby Schau (Sep 09)
- RE: Suspicious IIS Log entry Michael Moeller (Sep 09)
- Re: Suspicious IIS Log entry Tomasz Onyszko (Sep 09)
- Re: Suspicious IIS Log entry Flhex (Sep 09)
- RE: Suspicious IIS Log entry Paul Kurczaba (Sep 09)
- Re: Suspicious IIS Log entry Sean Earp (Sep 09)
- RE: Suspicious IIS Log entry Joey Peloquin (Sep 09)
- RE: Suspicious IIS Log entry Byron Copeland (Sep 10)
- Re: Suspicious IIS Log entry Tomas Wolf (Sep 10)