Security Incidents mailing list archives
Re: IIS Directory traversal vulnerability
From: Reverend Lola <reverend_lola () yahoo com>
Date: Wed, 25 Jul 2001 12:25:58 -0700 (PDT)
----->%-----snip----->%-----
Very likely, they copied winnt\system32\cmd.exe to \scripts\dr.exe. If you check file sizes and dates modified, they should be identical. The reason why
is
because they cannot run cmd.exe from the system32 directory, they have to run it from the scripts
folder
(I think. Can anyone else confirm this?).
No, you can run cmd.exe, but there are some limitations on what you can do with it. For example, you can't do this: http://xx.xx.xx.xx/scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+echo+0wned+3w3!+>+c:\inetpub\wwwroot\default.asp That's why you first copy cmd.exe to some other name in the webroot. :) ----->%-----snip----->%-----
Any advice would be much appreciated - a couple of our boxes seem to have been exploited using a directory traversal vulnerabiltiy, by uploading a file called "dr.exe", and then passing this commands to remove files from the box.
Do you see anything in the logs that would indicate dr.exe was actually uploaded from somewhere, and it's not actually a copy of cmd.exe? ----->%-----snip----->%-----
The attacked boxes did have all the latest patches applied to them, and I double checked this during the code red crisis, and applied any that were missing.
The Unicode patch has been out since mid-October 2000 (MS00-078), so if you've applied that patch a Unicode attack wouldn't work. Unless they used double encoding, but that patch has been out since 14 May 2001 (MS01-026). Can you tell which, if either, of these two methods were used? Reverend Lola The Titanium Sheep Provider of Steel Wool Defender of the Fleeceless PS - MS bulletins and patches (URLs may be wrapped): MS00-078 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp MS01-026 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IIS Directory traversal vulnerability Lee Evans (Jul 25)
- Re: IIS Directory traversal vulnerability Joe Smith (Jul 25)
- Re: IIS Directory traversal vulnerability Jordan K Wiens (Jul 25)
- Re: IIS Directory traversal vulnerability Jon Zobrist (Jul 25)
- RE: IIS Directory traversal vulnerability Bryan Allerdice (Jul 25)
- Re: IIS Directory traversal vulnerability Lee Evans (Jul 26)
- <Possible follow-ups>
- Re: IIS Directory traversal vulnerability Reverend Lola (Jul 25)
- Re: IIS Directory traversal vulnerability Joe Smith (Jul 25)