• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

hex dump directory traversal attack w/ questions & solut

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page Previous  1, 2
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Mon Jul 14, 2003 11:26 pm    Post subject: Reply with quote

Two more responses from incidents.org.
Both of these say pretty much the same thing. Its regarding IIS and virtual hosts. The first post makes sense since this attack is directed at an IIS server. The more I look at it the more I like it Smile
Second one just enforces the theory of the first.

1)
---
Okay. I'm going to make a guess here.

The GET string, excerpted below, indicates that it is using HTTP/1.1:
GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1

(Pretty nice URL by the way.)

In order to make a valid HTTP/1.1 request, you have to specify a host
name
(I think the proper terminology is 'host header') for the request. I'm
guessing that whoever devised this tool decided to just throw in
'www.google.com' as a host header. Under IIS, if you specify a host
name
that is not configured, it falls back on the first virtual host that is
configured for the IP. So by specifying 'www.google.com', they pretty
much guarantee that they will fall to the first host -- and on a
default
IIS install, this will be the default web site which lives under
c:\inetpub\wwwroot

So this is my armchair one minute guess-analysis. Hope it helps
somewhat.
---

2)
---
A web server might be host to multiple sites, and the Host: header
on the request allows the client to specify which one he wants. I
expect single-site servers just ignore it, and in any case it's not
relevant to the request since directory traversal attempts to break
out of the site to the host machine.
---
Back to top
View user's profile Send private message Visit poster's website
Spyguy
SF Reviewer
SF Reviewer


Joined: 10 Jul 2003
Posts: 3
Location: Ottawa, ON

Offline

PostPosted: Tue Jul 15, 2003 3:12 pm    Post subject: Reply with quote

Well, I'll wade in here… Smile

I also agree that the host field being set to "www.google.com" is just filler to make the HTTP GET request valid and that the requested URL (GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1) is definitely a known IIS-specific Directory Transversal attack.

This request is attempting to use a Unicode vulnerability to copy the Windows NT command processor (cmd.exe) to the path c:\inetpub\scripts directory as filename scripts.exe. This will mean that the file will be publicly accessible via http://<hostname or IP>/scripts/scripts.exe and its presence there will allow the execution of arbitrary system commands and permit directory transversals, thus giving the attacker “free reign over the machine.”

Based on the response I saw in the traffic capture, the server denied the request because the requested file was not found (HTTP/1.1 404 Not Found). This makes sense because the system appears to be running Apache web server (Server: Apache/1.3.27 (Unix)), and it would not have the directory path the URL was looking for, even if it was Apache on Windows.

This type of scan/attack in not uncommon these days, unfortunately… Sad

Footnotes:

1 http://honeynet.overt.org/index.php/Forensics has a nice analysis of a successful attack on a Honeypot that explains this behaviour
2 http://honeynet.overt.org/index.php/Forensics - quote
Back to top
View user's profile Send private message AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Goto page Previous  1, 2
Page 2 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register