Re: Web Server Folder Traversal

[Chris Keladis <chris () CMC CWO NET AU>]

Hi Gary,

Just a guess, but perhaps it's a missguided script-kiddie with a home-grown
exploit sending something like "%%c0%%af".. Perhaps IIS tries to parse
"%%c0%%af" can't, and throws it into the logfile as "%c0%af" etc etc..?

(Re-reading your log entries, it appears (allthough it may be forged) the
attacker used MSIE.. Perhaps it munges unicode URLs and you see what you see in
your logs??)

I don't have a test-bed available at the moment to test the theory but try it
on your test-bed and see how you fare. Try other combinations as well to see if
you can make the raw unicode end up in your logfiles.

Also, a measure you may want to take is to move your "content" onto another
physical partition from your system files (as others have mentioned). If an
attacker has no access to a cmd.exe then the attack is effectively foiled.

Not sure why the patches you added didn't work, but i'd solve that first, then
move your webroot afterwards as a precautionary measure.



Regards,

Chris.


"Portnoy, Gary" wrote:

> Hello,
>
> This question may have a very easy answer, but I don't know what it is, and
> I am a little stumped.  Following the recent thread about NT compromises due
> to the unicode folder traversal vulnerability, I decided to double check my
> servers.  And lo and behold, I found one that was vulnerable, however, the
> MS patch Q269862 has been applied to it.  I am thinking WTF?  So, I look
> through the logs, and see the following:
>
> 11:21:01 212.36.0.230 - 172.17.1.4 GET
> /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c
> +"dir%20c:\" 200 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) -
> 11:21:15 212.36.0.230 - 172.17.1.4 GET
> /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c
> +"dir%20c:\winnt\system32\logfiles\" 200 80
> Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) -
> 11:21:24 212.36.0.230 - 172.17.1.4 GET
> /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c
> +"dir%20c:\winnt\system32\logfiles\W3SVC1\" 200 80
> Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) -
> 11:21:42 212.36.0.230 - 172.17.1.4 GET
> /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c
> +"type%20c:\winnt\system32\logfiles\W3SVC1\ex001210.log" 502 80
> Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) -
>
> Looks like someone has tried to take advantage of it yesterday.  But I am
> pretty sure that I should not be seeing the Unicode characters in the logs.
> In the logs it should be showing up as
> /msadc/../../../../../../winnt/system32/whatever.exe.  So, I do a default
> installation of IIS just to confirm:
>
> 19:09:19 10.1.1.62 GET /msdac/../../../../../../winnt/system32/cmd.exe 404
> 19:09:27 10.1.1.62 GET /scripts/../../../../../../winnt/system32/cmd.exe 200
>
> Yep, that's indeed the case, then why am I seeing the above in the logs, and
> why am I still vulnerable, even though the patch is applied?  Could this be
> perhaps related to the order the patches were applied, or is there some
> other dependency?  This is NT4 SP5, with almost all the released security
> patches, or so I thought....
>
> Gary Portnoy
> Network Administrator
> gportnoy () belenosinc com
>
> PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C