Vulnerability Development mailing list archives
RE: sometimes IIS 4.0 don't write logs.
From: ThEye <theye () 350cc com>
Date: Thu, 20 Dec 2001 14:54:55 -0500
Pablo Aravena said:
The problem looks like this: CMD /K [command] Execute a command and "still active" CMD /C [command] Execute a command and then finished. If you execute a cmd.exe?/k request this would be in active state until his finished this process instead of the cmd.exe?/c request that finishes the process inmediatly. Because of this the IIS that´s not log the process that has not come to an end.
That's right but if an attacker sends a remote request to "cmd /k" no process "cmd" will appear in the webserver's list of processes so this is a unusual behavior because if an local user of the NT box calls "cmd /k" locally that process will appear in the list of processes. In addition, if the attacker calls remotely "cmd /k" his browser will seem waiting for webserver's answer ( that happens because CMD is still running due to the "K" option ) so if he stops the browser ( pressing ESC ) he will stop the "cmd /k" remote process but IIS don't log it.
Roberto Alamos M. (theye () 350cc com) www.350cc.com
> -----Mensaje original----- > De: ThEye [SMTP:theye () 350cc com] > Enviado el: jueves, 20 de diciembre de 2001 0:39 > Para: vuln-dev () securityfocus com > CC: ndr113 () 350cc com > Asunto: sometimes IIS 4.0 don't write logs. > > <Hi: > > I don't know if this problem is documented but i didn't find anything > about > it anywhere. > > The problem is the following one: > > + Problem: > When I was playing with "Microsoft IIS and PWS Extended Unicode Directory > Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the > attacker > uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c) > ,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability) > sometimes don't write logs of the attacker's activity. > > + Implications: > If an attacker uses this vulnerability to crack a web page or anything, > eventually no tracks will exist on the attacked server. > > + Final: > In PROBLEM I said "sometimes" because after a high number of requests to > "cmd /k" , IIS 4.0 write logs of some requests, still I don't know when > and > why IIS 4.0 write logs of the "cmd /k" request. > Anyone that can confirm or refute this please post it. > > > + Exploit: > I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed > > ( without any patch ). > > http://server.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/k+dir > http://server.com/scripts/..%c0%af../winnt/system32/cmd.exe?/k+dir > http://server.com/msadc/..%c1%pc../winnt/system32/cmd.exe?/k+dir > http://server.com/msadc/..%c0%af../winnt/system32/cmd.exe?/k+dir > > Result: No tracks on log files. > > + More Information: > 1) Microsoft IIS and PWS Extended Unicode Directory Transversal > > http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=1806 > 2) Microsoft Patch prmcan4i > > http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/EN-U > S/prmcan4i.exe > > Roberto Alamos M. (theye () 350cc com) > www.350cc.com
Current thread:
- sometimes IIS 4.0 don't write logs. ThEye (Dec 19)
- <Possible follow-ups>
- RE: sometimes IIS 4.0 don't write logs. Pablo Aravena (Dec 20)
- RE: sometimes IIS 4.0 don't write logs. ThEye (Dec 20)