Unicode Attack

["Jeremy Junginger" <jjunginger () usbestcrm com>]

It's time again to ask the group for some assistance with interpretation
of web logs and snort alerts.  There was some funny activity on the web
farm.  I noticed a couple "ATTACK RESPONSES-http dir listing" attacks on
some of our web servers, queueing me in to the fact that the servers in
question were not patched against a Unicode-type vulnerability.  I found
the offending IP, and tracked it back to a broadband home connection. I
think with reasonable certainty that the attack was not spoofed (because
of the nature of TCP and the fact that he received a response from the
web server); however, I cannot rule out the possibility of the host
being compromised.  Knowing this, I reported it to our ISP and blocked
access immediately, and began to analyze the logs more closely.  The web
logs are continuous, so I am assuming that they are intact, though they
may be suspect.  There are no lapses  in time, and the logs appear to be
fairly contiguous.  I also noticed that the attack was scripted, as
there were many WEB-IIS SAM RETRIEVAL attempts interspersed with the
Unicode strings, all happening in less than 10 seconds.  The log entries
of the first server are below.  

Web log entries:

2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET
/scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
31 HTTP/1.1 63.241.137.233
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -

2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET
/scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
31 HTTP/1.1 63.241.137.233
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -

This is an IIS 5.0/Win2k Server with SP2 and Latest Hotfixes per
HFNETCHECK, which I thought would preclude this server from being
vulnerable to a Unicode-type attack.  The only thing that has not been
done is running URLSCAN and IISLOCKDOWN.  Obviously, these will be my
steps for patching the servers, but I would like to ask for some
assistance with replicating the attack.  

INTERESTING NOTE:  The web logs indicate that the URL Requested was
(correct me if I'm wrong) 
http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir
(possibly with a c:\ at the end).  

When running this URL against the server, it produces a 404 error on the
server rather than listing the drive contents.  The snort logs
(Snort/MySQL/PHP/ACID/Apache) indicate that the URL was
http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir .  

I guess my question is three-fold:

1) Does the IIS server "decode" the string before logging it to the web
logs?
2) Does the Snort IDS "decode" the string before logging it to MySQL?
3) Since there are few (if any) thorough Unicode scanners, is it
possible to write a perl script that could check for all possible
Unicode variants on a given web server to test the effectiveness of the
URLSCAN and IISLOCKDOWN utilities (pre-change/post-change pen-test)?  I
have some "shell" programs like uni.pl, but am a little confused about
how to generate all of the possible combinations.

If you guys can provide any assistance with this, it would be great.  If
not, thanks for taking the time to read the post.  Have a good one!

-Jeremy

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com