Home page logo

bugtraq logo Bugtraq mailing list archives

IIS CGI Filename decode error = financial industry server vulnerability
From: Curt Wilson <netw3 () netw3 com>
Date: Thu, 17 May 2001 02:34:52 -0500

I work with a company that has a financial services vendor that ships
their customized IIS4 systems with everyone/full control on C: or else
it "breaks the application". Of course, these perms reach the winnt/system32
dir, but I used cacls to restrict winnt/system32/*.exe from the
IUSR account with success. The only thing funky about this solution,
is that when cmd.exe is restricted in such a manner, the user 
(if using IE) receives a challenge-response, allowing at least some
attempt to brute force the admin account (vendor sets very weak default

This particular vendor supplies a lot of credit unions. They are
currently testing the MS patch to determine if it will function
properly on their customized version of IIS 4. The system is designed
to run behind a decent firewall such as the Cisco PIX, and I feel
that this fact has created a false sense of "black box" security.
The defense-in-depth posture of this company is somewhat weak, but
one of their managers shows a lot of promise in terms of tightening
the companys security stance.

It seems that most of the exploit code and examples focuses on 
using cmd.exe. In this particular "everyone/full control" scenario,
there are various other executables are available such as route, net, 
tftp, findstr, netstat, tracerte, ipconfig, ping, etc. that can receive
parameters and for some (tftp, ftp, telnet, ping) open up a back-channel
in a stateful firewall unless outgoing packets are filtered. It appears
that routes can be modified as well but I was not successful in my 
particular test.

Like unicode and other exploits of this nature, it seems pretty easy for
an attacker to set up a tftp server and craft a command line to retrieve
something like netcat or a trojan from an external site and store it in a
writeable area. Internal networks could really be screwed, esp with
something like Sir Dystics SMBrelay being used.

I won't reveal any more information at this point about the particular
vendor, until they release their results or their own customized patch. I am
expecting some type of result from them within 12 hours of this message.
This vendors security notification service has been pretty slow in the past,
but attackers don't wait.

If you are a credit union with an in-house home banking service, please
contact me and we can discuss further if necessary.

| Curt R. Wilson   *   Netw3 Consulting  *   www.netw3.com    |
|    Internet Security, Networking, PC tech,  WWW hosting     |
| Netw3 Security Reading Room : www.netw3.com/documents.html  |
|  Serving Southern Illinois locally and the world virtually  |  
|            netw3 () netw3 com     618-303-NET3                 |

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]