Re: IIS Directory traversal vulnerability

To: lee@vital.co.uk
Cc: debian-user@lists.debian.org
Subject: Re: IIS Directory traversal vulnerability
From: "Patrick Cheong Shu Yang" <patrick.cheong@hitech.com.my>
Date: Thu, 26 Jul 2001 11:42:19 +0800 (MYT)
Message-id: <[🔎] 41783.202.190.0.7.996118939.squirrel@rover.hitech.com.my>
In-reply-to: <f0107251030432E30@vital.co.uk>
References: <f0107251030432E30@vital.co.uk>

The IIS Directory Transversal Vulnerability is in regards to an improperly implemented IIS engine, which improperly interprets unicodes (e.g. %c0%9v) and allows the web client to "transverse" above the webserver's document root (usually set to c:/inetpub/wwwroot). If you review your logs in c:\winnt\system32\Logs\W3SVC1 or something like that, you'd discover that an entry such as http://<target_host>/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir in the web browser will be intepreted as http://<target_host>/scripts/../../winnt/system32/cmd.exe?/c+dir by IIS. The above line will basically dir your c:/inetpub/scripts directory!!

Imagine what you can do with this!! ...issue a command to format the whole hardisk!!!!

The dr.exe file you found in the ../scripts directory is probably a re-named copy of cmd.exe as this makes the intruder's life a little easier and mask the activities from IDSs.

Anyway, M$ has issued a patch for this under MS00-57 and MS00-78 to address this vulnerability.

HTH.

Patrick Cheong
Security Specialist
Hitechniaga Sdn Bhd


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Any advice would be much appreciated - a couple of our boxes seem to
> have  been exploited using a directory traversal vulnerabiltiy, by
> uploading a file  called "dr.exe", and then passing this commands to
> remove files from the box.
> 
> I have recovered our logfiles and the data fortunately, and I am still 
> examining the log's.
> 
> Is this dr.exe thing a known attack, (I can't seem to find anything
> about  it).?
> 
> The attacked boxes did have all the latest patches applied to them, and
> I  double checked this during the code red crisis, and applied any that
> were  missing.
> 
> Any information would be much appreciated.
> 
> Regards
> Lee
> - -- 
> Lee Evans
> Vital Online Ltd
> 
> This  message is intended only for the use of the person(s) ("The
> intended recipient(s)")  to  whom it is addressed.  It may contain
> information which is privileged and confidential within  the  
> meaning  of  applicable law.  If you are not the intended  recipient,
> please  contact the sender as soon as possible.  The views expressed in
> this communication may not necessarily be the views held by Vital
> Online  Ltd.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE7XpKrhtUFQXeFbZYRAh0mAKCTpYRfp5m/MBHHc/tvYYdxMqf9qQCeNpru
> +QqVQuyw/IhvuMQfwnP7lhc=
> =Zel8
> -----END PGP SIGNATURE-----
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

Reply to:

Prev by Date: Re: Off Topic: Mailing Agents?
Next by Date: Re: good sound cards?
Previous by thread: usb printer testing(modified)
Next by thread: debian: Recommendation for scanner/printer/fax/copier
Index(es):
- Date
- Thread