Security Basics: Reserved named COM1 used as filename - IIS W2K

[Geo You <gyoung () gldata com>]

In-Reply-To: <20031212162003.CD21516AF26 () hueymiccailhuitl mtu ru>

When a web site is created under IIS on a W2K server, with Front Page extensions there are a number of directories 
created for Front 

Page. One of these directories is  _vti_pvt and it is created with write permission to all - oops!

Hackers continously probe websites looking for this directory and if they find a writable _vti_pvt directory proceed to 
write an 

extensive directory structure which is then populated with WAREZ material. It takes about 2 days for hackers to find an 
open 

directory on a new website.

An unsuspecting web server owner then becomes the host for gigabytes of copyright data and may notice a huge increase 
in the net 

traffic through his site as hackers all over the world upload and download gigs of files.  

In order to prevent the hackers directory structure from getting deleted they will often call the first subdirectory 
"com1 ", com1 with 

one or more spaces after it. Since Windows ignores the spaces, the name is intepretted as the reserved name for the 
serial port. If you 

try to delete a folder with that name nothing happens except perhaps your window session hangs. 

Also these directories are not owned by any legitimate user account on the server, so even if Windows didn't treat it 
as a reserved name, 

you still would not have permission to access the directory.

Attempting to use Posix commands to delete these directories proved fruitless. Properly syntax Posix commands resulted 
in messages 

about not having permission to delete the directory or the messages stating the directory was not empty.

What did work was:

1.) First get rid of the COM1 serial port from the Windows OS. Either go into the bios of the PC and delete COM1, or go 
into the 

Hardware Device Manager and uninstall COM1. You can also try stopping the Plug and Play Service, but so many things 
under Windows 
use that service you may have trouble.

2.) Then from dos go to the _vti_pvt directory and issue 

dir /x

This will show you the long and short name of the directory. COM1 with a bunch of spaces will show up as COM1~1 then -

ren COM1~1  xxx

Rename the file, if it complains about not having permission, its probably because you don't own the file - yet! 

Since COM1 has been removed from the system you can go back to Windows and right click on  _vti_pvt and bring up the 
properties. Go 

into the Advance then Owner, highlight the administrator account, click the Replace owner on subcontainers box and hit 
apply. 

Administrator can now take ownership of COM1~1 directory. Back to the first screen and make sure that the Administrator 
and 

everyone has full rights to the directory and propagate the changes down the directory tree as far as you can.

Back to the dos window and rename the directory. Proceed down the file hierarchy to the next directory. You will have 
to alternate back 

and forth between renaming directories, then taking ownership of them and setting permissons.

It took about 30 minutes to get through a 10 level deep directory structure. System hung twice and had to be rebooted. 
Obviously this 

hack of the file structure does some damage to the Windows file system.

George Young
G-L Data Inc

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------