[Intrusions] Has anyone seen this?

Matthew Harkrider mhark at alertlogic.net
Thu Aug 25 19:14:53 GMT 2005 

> The attack signature was one of either "root.exe" (Nimda) or 
> "winnt/system32/cmd.exe".  I've never seen an IIS attack that used the 
> latter, and it seems rather strange, because unless the webserver is 
> grossly misconfigured you couldn't get to the system32 dir through port 80

> anyway.

We have actually seen this before many times and have recreated this result
for testing purposes. This is the very same attack that is used in the old
Unicode and CodeRed exploits. One of our analysts identified a script a very
long time ago on exploitwatch.org that takes about 20 variants of this
exploit and scans IIS servers in hopes that they haven't been patched
against this vulnerability.

Here is payload sample from one of our internal tests: 

GET 
/_vti_bin/..%c0%
af../..%c0%af../
..%c0%af../winnt
/system32/cmd.ex
e?/c+dir HTTP/1.
0.


If the server isn't patched, you will get a 200 OK response from the target
and then have immediate administrative rights. However, unless IIS servers
on a network have been blatantly ignored, it is highly unlikely that there
are a lot of them out there vulnerable to this attack. It is very old.

Hope this helps.



Regards,


Matt




................................

Matthew Harkrider     
Founder
Dir of Operations       
Alert Logic, Inc         
Email: mhark at alertlogic.net


-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Paul Schmehl
Sent: Wednesday, August 24, 2005 12:21 PM
To: Intrusions List (GCIA Practicals)
Subject: [Intrusions] Has anyone seen this?

We had a really strange attack the other day, and I'm wondering if anyone 
else might have seen something similar.  The attack originated in a class C 
(in China), moving randomly through the address space (x.x.x.231, 
x.x.x.222, x.x.x.198, x.x.x.243, etc.) and scanned through a number of 
class C's on our network.  The dst port was always 80.

The attack signature was one of either "root.exe" (Nimda) or 
"winnt/system32/cmd.exe".  I've never seen an IIS attack that used the 
latter, and it seems rather strange, because unless the webserver is 
grossly misconfigured you couldn't get to the system32 dir through port 80 
anyway.

>From the rapidity of the attack, it seemed more like a discovery attack 
rather than a break-in attack, because the script (or whatever it was) 
would change src IP very quickly.

I'm just curious if anyone has seen anything similar.

(The entire attack was detected and blocked by Tippingpoint, so it's only 
interesting from an educational standpoint.)

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list