Security Incidents mailing list archives

Re: Some details in a recent NT hack we encountered

From: Matt Scarborough <vexversa () USA NET>
Date: Mon, 26 Feb 2001 03:32:08 EST

On Sun, 25 Feb 2001 22:21:11 -0700, Ron Grove <rgrove () HOTMAIL COM> wrote:

I don't know exactly where he got SYSTEM access, but I expect
somehow through dl.exe?


Regis this is my final answer. This is a better answer than I gave before.
This all goes back to the UNICODE exploit as point of entry. A site vulnerable
to UNICODE exploit is likely vunerable to this kit.

IIS4 on NT4 ran E.ASP as Local System. This is by design (seriously.)

E.ASP was a WSH file that when launched wrote DL.BAT, launched a command
shell, and ran DL.BAT

In the E.ASP example you gave adding this line
tf.WriteLine("CMD /C DumpTokenInfo.exe >dump.txt")
will add
CMD /C DumpTokenInfo.exe >dump.txt
to DL.BAT and give us the process token when that line is executed via IIS
(when E.ASP is requested remotely from a web browser and runs WSH.)

Provided of course for testing we throw DumpTokenInfo.exe into
C:\INETPUB\SCRIPTS\ first, from Dump.txt we get

Token Owner: BUILTIN\Administrators - Alias
Token Primary Group: NT AUTHORITY\SYSTEM - User
Token Default DACL:
Access Allowed for:
NT AUTHORITY\SYSTEM - User
All access
Access Allowed for:
BUILTIN\Administrators - Alias
Token Source: *SYSTEM*
Token type: Primary Token
Token is not an impersonation token

DumpTokenInfo at
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15989

That is how
C:\WINNT\system32\os2\dll\new\FireDaemon.exe
C:\WINNT\system32\os2\dll\new\login.txt
C:\WINNT\system32\os2\dll\new\MMtask.exe
C:\WINNT\system32\os2\dll\new\SUD.bak
C:\WINNT\system32\os2\dll\new\SUD.exe
C:\WINNT\system32\os2\dll\new\cache\cache.idx
were created and
C:\WINNT\system32\os2\dll\new 's
ownership was set to SYSTEM.

BTW,
SUD.EXE=Serv-U FTP Server
MMTask.exe=WinGate 3.0 Engine

If you see activity on these ports (probably configurable though, this is a
kit) Heads Up!

FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path                          

240   MMtask         ->  9273  TCP   C:\WINNT\system32\os2\dll\new\MMtask.exe
240   MMtask         ->  9274  TCP   C:\WINNT\system32\os2\dll\new\MMtask.exe
240   MMtask         ->  9275  TCP   C:\WINNT\system32\os2\dll\new\MMtask.exe
240   MMtask         ->  9276  TCP   C:\WINNT\system32\os2\dll\new\MMtask.exe
240   MMtask         ->  9277  TCP   C:\WINNT\system32\os2\dll\new\MMtask.exe
240   MMtask         ->  9278  TCP   C:\WINNT\system32\os2\dll\new\MMtask.exe
229   SUD            ->  19216 TCP   C:\WINNT\system32\os2\dll\new\SUD.exe
229   SUD            ->  45092 TCP   C:\WINNT\system32\os2\dll\new\SUD.exe
240   MMtask         ->  1040  UDP   C:\WINNT\system32\os2\dll\new\MMtask.exe

Matt 2001-02-26

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

Current thread:

Some details in a recent NT hack we encountered Ron Grove (Feb 24)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 24)
- <Possible follow-ups>
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
  - Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Ron Grove (Feb 25)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 27)
  - Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 28)