Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Pablo Aravena (p.aravenabysecure.com)
Date: Thu Dec 20 2001 - 07:48:45 CST
The problem looks like this:
CMD /K [command] Execute a command and "still active"
CMD /C [command] Execute a command and then finished.
If you execute a cmd.exe?/k request this would be in active state
until his finished this process instead of the cmd.exe?/c request
that finishes the process inmediatly. Because of this the IIS
not log the process that has not come to an end.
Pablo Aravena Martínez
Consultor de Seguridad
BYSECURE CSE S.A.
PGP FingerPrint: 4109 41C1 A295 75D8 F159 D542 96C5 5E6D 2B08 F28A
> -----Mensaje original-----
> De: ThEye [SMTP:theye350cc.com]
> Enviado el: jueves, 20 de diciembre de 2001 0:39
> Para: vuln-devsecurityfocus.com
> CC: ndr113350cc.com
> Asunto: sometimes IIS 4.0 don't write logs.
> I don't know if this problem is documented but i didn't find anything
> it anywhere.
> The problem is the following one:
> + Problem:
> When I was playing with "Microsoft IIS and PWS Extended Unicode Directory
> Transveral Vulnerability" ( BugtraqID = 1806 ) I found that if the
> uses the "k" option of cmd ( cmd /k ) instead of the "c" option (cmd /c)
> ,IIS 4.0 (with Extended Unicode Directory Transveral Vulnerability)
> sometimes don't write logs of the attacker's activity.
> + Implications:
> If an attacker uses this vulnerability to crack a web page or anything,
> eventually no tracks will exist on the attacked server.
> + Final:
> In PROBLEM I said "sometimes" because after a high number of requests to
> "cmd /k" , IIS 4.0 write logs of some requests, still I don't know when
> why IIS 4.0 write logs of the "cmd /k" request.
> Anyone that can confirm or refute this please post it.
> + Exploit:
> I tested this problem on Windows NT Server 4.0 with IIS 4.0 just installed
> ( without any patch ).
> Result: No tracks on log files.
> + More Information:
> 1) Microsoft IIS and PWS Extended Unicode Directory Transversal
> 2) Microsoft Patch prmcan4i
> Roberto Alamos M. (theye350cc.com)