Security Incidents mailing list archives

Re: IIS Directory traversal vulnerability

From: Reverend Lola <reverend_lola () yahoo com>
Date: Wed, 25 Jul 2001 12:25:58 -0700 (PDT)

----->%-----snip----->%-----

Very likely, they copied winnt\system32\cmd.exe to
\scripts\dr.exe.  If you check file sizes and dates
modified, they should be identical.  The reason why

is

because they cannot run cmd.exe from the system32
directory, they have to run it from the scripts

folder

(I think.  Can anyone else confirm this?).


No, you can run cmd.exe, but there are some
limitations on what you can do with it.  For example,
you can't do this:  

http://xx.xx.xx.xx/scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+echo+0wned+3w3!+>+c:\inetpub\wwwroot\default.asp

That's why you first copy cmd.exe to some other name
in the webroot.  :)  

----->%-----snip----->%-----

Any advice would be much appreciated - a couple of
our boxes seem to have 
been exploited using a directory traversal
vulnerabiltiy, by uploading a file 
called "dr.exe", and then passing this commands to
remove files from the box.


Do you see anything in the logs that would indicate
dr.exe was actually uploaded from somewhere, and it's
not actually a copy of cmd.exe?  

----->%-----snip----->%-----

The attacked boxes did have all the latest patches
applied to them, and I 
double checked this during the code red crisis, and
applied any that were 
missing.


The Unicode patch has been out since mid-October 2000
(MS00-078), so if you've applied that patch a Unicode
attack wouldn't work.  Unless they used double
encoding, but that patch has been out since 14 May
2001 (MS01-026).  Can you tell which, if either, of
these two methods were used?  


Reverend Lola
The Titanium Sheep
Provider of Steel Wool
Defender of the Fleeceless

PS - MS bulletins and patches (URLs may be wrapped):  
     MS00-078 -
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp
     MS01-026 -
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

IIS Directory traversal vulnerability Lee Evans (Jul 25)
- Re: IIS Directory traversal vulnerability Joe Smith (Jul 25)
  - Re: IIS Directory traversal vulnerability Jordan K Wiens (Jul 25)
  - Re: IIS Directory traversal vulnerability Jon Zobrist (Jul 25)
- RE: IIS Directory traversal vulnerability Bryan Allerdice (Jul 25)
- Re: IIS Directory traversal vulnerability Lee Evans (Jul 26)
- <Possible follow-ups>
- Re: IIS Directory traversal vulnerability Reverend Lola (Jul 25)