Security Incidents mailing list archives
Re: Web Server Folder Traversal
From: Chris Keladis <chris () CMC CWO NET AU>
Date: Thu, 1 Mar 2001 08:37:32 +1100
Hi Gary, Just a guess, but perhaps it's a missguided script-kiddie with a home-grown exploit sending something like "%%c0%%af".. Perhaps IIS tries to parse "%%c0%%af" can't, and throws it into the logfile as "%c0%af" etc etc..? (Re-reading your log entries, it appears (allthough it may be forged) the attacker used MSIE.. Perhaps it munges unicode URLs and you see what you see in your logs??) I don't have a test-bed available at the moment to test the theory but try it on your test-bed and see how you fare. Try other combinations as well to see if you can make the raw unicode end up in your logfiles. Also, a measure you may want to take is to move your "content" onto another physical partition from your system files (as others have mentioned). If an attacker has no access to a cmd.exe then the attack is effectively foiled. Not sure why the patches you added didn't work, but i'd solve that first, then move your webroot afterwards as a precautionary measure. Regards, Chris. "Portnoy, Gary" wrote:
Hello, This question may have a very easy answer, but I don't know what it is, and I am a little stumped. Following the recent thread about NT compromises due to the unicode folder traversal vulnerability, I decided to double check my servers. And lo and behold, I found one that was vulnerable, however, the MS patch Q269862 has been applied to it. I am thinking WTF? So, I look through the logs, and see the following: 11:21:01 212.36.0.230 - 172.17.1.4 GET /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c +"dir%20c:\" 200 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) - 11:21:15 212.36.0.230 - 172.17.1.4 GET /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c +"dir%20c:\winnt\system32\logfiles\" 200 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) - 11:21:24 212.36.0.230 - 172.17.1.4 GET /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c +"dir%20c:\winnt\system32\logfiles\W3SVC1\" 200 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) - 11:21:42 212.36.0.230 - 172.17.1.4 GET /msadc/..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c +"type%20c:\winnt\system32\logfiles\W3SVC1\ex001210.log" 502 80 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) - Looks like someone has tried to take advantage of it yesterday. But I am pretty sure that I should not be seeing the Unicode characters in the logs. In the logs it should be showing up as /msadc/../../../../../../winnt/system32/whatever.exe. So, I do a default installation of IIS just to confirm: 19:09:19 10.1.1.62 GET /msdac/../../../../../../winnt/system32/cmd.exe 404 19:09:27 10.1.1.62 GET /scripts/../../../../../../winnt/system32/cmd.exe 200 Yep, that's indeed the case, then why am I seeing the above in the logs, and why am I still vulnerable, even though the patch is applied? Could this be perhaps related to the order the patches were applied, or is there some other dependency? This is NT4 SP5, with almost all the released security patches, or so I thought.... Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
Current thread:
- Web Server Folder Traversal Portnoy, Gary (Feb 28)
- Re: Web Server Folder Traversal Chris Keladis (Feb 28)