[Intrusions] Has anyone seen this?
Nick FitzGerald
nick at virus-l.demon.co.uk
Thu Aug 25 22:09:42 GMT 2005
Paul Schmehl wrote:
> The attack signature was one of either "root.exe" (Nimda) or
> "winnt/system32/cmd.exe". I've never seen an IIS attack that used the
> latter, and it seems rather strange, because unless the webserver is
> grossly misconfigured you couldn't get to the system32 dir through port 80
> anyway.
Those were the _entire_ requested URLs, or was the sig that triggered
just looking at any part of the URL/packet/whatever?
> >From the rapidity of the attack, it seemed more like a discovery attack
> rather than a break-in attack, because the script (or whatever it was)
> would change src IP very quickly.
>
> I'm just curious if anyone has seen anything similar.
How quickly we forget...
Recall the "double-decode" bug in early IIS 4 -- you know, something
like %25%32%45 decodes once to %2e which is then later decoded again to
"." -- and how it could be used to bypass IIS' directory traversal
checks, which basically were checks for requests starting with literal
substrings "./" and "../" BUT done after the first of the above decodes
and before the second?
These kinds of tricks were extensively used around the time of Code Red
and any IIS box that was vulnerable to Code Red was most likely
vulnerable to this too (tho, IIRC, this double-decode bug was fixed in
an earlier patch than the buffer overflow fix needed to beat Code Red,
so it was possible for a box to patched against double-decode and not
the buffer overflow Code Red used).
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
More information about the Intrusions
mailing list