Re: IIS Directory traversal vulnerability

From: Reverend Lola (reverend_lolaat_private)
Date: Wed Jul 25 2001 - 12:25:58 PDT

  • Next message: Bryan Allerdice: "RE: IIS Directory traversal vulnerability"

    ----->%-----snip----->%-----
    >Very likely, they copied winnt\system32\cmd.exe to
    >\scripts\dr.exe.  If you check file sizes and dates
    >modified, they should be identical.  The reason why
    is
    >because they cannot run cmd.exe from the system32
    >directory, they have to run it from the scripts
    folder
    >(I think.  Can anyone else confirm this?).
    
    No, you can run cmd.exe, but there are some
    limitations on what you can do with it.  For example,
    you can't do this:  
    
    http://xx.xx.xx.xx/scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+echo+0wned+3w3!+>+c:\inetpub\wwwroot\default.asp
    
    That's why you first copy cmd.exe to some other name
    in the webroot.  :)  
    
    ----->%-----snip----->%-----
    > Any advice would be much appreciated - a couple of
    > our boxes seem to have 
    > been exploited using a directory traversal
    > vulnerabiltiy, by uploading a file 
    > called "dr.exe", and then passing this commands to
    > remove files from the box.
    
    Do you see anything in the logs that would indicate
    dr.exe was actually uploaded from somewhere, and it's
    not actually a copy of cmd.exe?  
    
    ----->%-----snip----->%-----
    > The attacked boxes did have all the latest patches
    > applied to them, and I 
    > double checked this during the code red crisis, and
    > applied any that were 
    > missing.
    
    The Unicode patch has been out since mid-October 2000
    (MS00-078), so if you've applied that patch a Unicode
    attack wouldn't work.  Unless they used double
    encoding, but that patch has been out since 14 May
    2001 (MS01-026).  Can you tell which, if either, of
    these two methods were used?  
    
    
    Reverend Lola
    The Titanium Sheep
    Provider of Steel Wool
    Defender of the Fleeceless
    
    PS - MS bulletins and patches (URLs may be wrapped):  
         MS00-078 -
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp
         MS01-026 -
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp
    
    
    __________________________________________________
    Do You Yahoo!?
    Make international calls for as low as $.04/minute with Yahoo! Messenger
    http://phonecard.yahoo.com/
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 13:56:28 PDT