Using the IIS Unicode exploit the web server allows the users to run arbitrary commands. The IIS servers loaded with the Unicode extensions are vulnerable. If they are running current patches they may not be vulnerable. This paper is to explains how to minimize the vulnerability and how a system compromise is achieved using this harmless service. Unicode exploit is not new mechanism it is just a variation of the old vulnerability "Dot Dot" attack. When the web server receives a malformed URL from the hacker or attacker Dot Dot attack occurs. The malformed URL looks like,
This malformed URL clearly explains the attack. Now the web server starts to look for the file which is in the web-root directory "../../../../../winnt/repair/sam._. Here the "../" makes the web server to search for one directory. So when five of the "../" are present in a row the web server will start to search in the document root for the winnt/repair/sam._ file. The number of "../" present is not at all a matter unless there are enough of them in order to recurse back to the file system with the root (either c:\ or / on the unix systems). In order to travel through the directories and to execute the arbitrary commands like the "Dot Dot" attack on the servers which are vulnerable the IIS Unicode exploit uses the malformed URL or the http protocol. To make the IIS to do the "Dot Dot" attack the IIS Unicode exploit uses the Unicode representation of a directory delimiter (/). This exploit works because the "Dot Dot" attack does not recognize the representation of the slash by the Unicode.
The exploit can be used from the address bar of the web browser. This is possible as the exploit uses http. This seems to be the easiest way which is used to exploit the vulnerability of the web browser. If the attack is scripted it can be more efficient and powerful.
A close examination of the sample which is being exploited will give a clear picture of the attack. With the internet the following URL was run on the vulnerable machine. Here the URL will run the dir c:\ command and the output will be a web page. On examining the URL ( to protect the server identity IP address is slightly modified),
In the above URL the first thing that can be noticed is, on the left side the URL shows /scripts directory on the server www.example.com. The executable cmd.exe path should be correct and the scripts directory (can be another directory that has the execute permissions like cgi-bin) should exist for this particular version of the attack. "..%c0%af" is the next thing that can be noticed on the URL. It is a string of characters and it is the overlong Unicode representation of '/'. On loading the Unicode extension to the server, the URL is interpreted as,
When the URL is analyzed in this form it gives a clear idea of the things happening around it. It is similar to the "Dot Dot" attack. Here the URL backs out of the web root and to the servers root directory and then calls the\winnt\system32\cmd.exe along with the parameters dir and c:\. Here the command interpreter (cmd.exe) is used to execute the command "dir c:\" and the directory listing that results from the command is showed in the figure 1.
The command which can be executed by the user IUSRÂÂ_machinename can be run if a proper URL is crafted and entered in to the address bar. The IUSR_machinename user has the rights similar to the normal user who is being logged in the console interactively. The important thing to be noted here is that with this type of exploit the user cannot get access to the administrative level. The attacker can get the administrative level access if the server has run as a administrative user and mis-configured. Using this exploit as the first level the hackers can get the administrative level access. In order to gain administrative level access the other vulnerabilities should also be exploited. But if the hackers get any level of access to the operating system, it will be easy for them to get the administrative level access.
The exploit works based on the interpretation of the Unicode characters by the unpatched IIS server. The IIS does the path checking first and then interprets the Unicode characters. A 404 error is created in the server when %c0%af is replaced by a/. This clearly explains that IIS checks the path and then interprets the Unicode.
TFTP EXPLOIT METHOD:
By typing the following URL
in the address bar of a browser will make the server to download a file using the TFTP called as Trojan.exe from the server xxx.xxx.xxx.xxx and will save the file in c;\winnt\system32\trojan.exe.. This is an easy way to download files using the Unicode exploit. When the Trojan.exe file stays on the server it will help the attacker to execute the Trojan with the use of the URL,
The server will be completely infected and will become vulnerable if the Trojan.exe were Back Orifice or Netbus. The Trojans does not need the administrative or high level of access to get installed. The user gets the total control of the system if the Trojans are installed.
NET USE EXPLOIT METHOD:
By accessing share on the internet the hacker can get the expected outcome. NetBios should be installed on the vulnerable srver and should not be filtered on the go. The URL used will be like,
The attacks could be less reliable and complex than using TFTP. If sharing is accessed the hacker can copy and download or upload files. The files which are uploaded or downloaded will be much like the URL mentioned in the TFTP section.
AUTOMATED SCRIPT EXPLOIT METHOD:
Packet storm gives more examples about the automated scripts. The script which is being examined is located at,
The script chosen is completed and documented properly. It is a zip file and has everything to exploit the vulnerable IIS server. It has perl scripts which tests the server for vulnerability. The Trojan program opens a backdoor on the vulnerable server and a TFTP server to run on the local box. In this type of exploit the first step is to check for the server vulnerability. The Perl script in this exploit will determine whether the hosts are vulnerable and the script is called uni.pl. Using this tool or a similar one the user can scan a number of IP address and can determine which server is vulnerable for this type of exploit. The next step is the downloading of the executable file called ncx99.exe by the target server. This exploit will provide a TFTP server which runs on the Windows platform and gives a detailed instruction to set up the server which allows the remote TFTP clients to download files. The attacker then uses another Perl script uniexe.pl which makes the server to download files from a TFTP server. The last step involved in the exploit is the execution of the file which is uploaded to the server which is vulnerable. It is possible to do this by using uniexe.pl.script. With the help of Source Code/ Pseudo Code, the Perl code for uni.pl and uniexe.pl can be found.
When ncx99.exe is executed in the targeted server it will allow the hacker to use telnet or netcat which allows the hacker to connect to port 99 directly without authentication. If the machine is not connected via the IIS logs can be accessed by the hacker with the help of the port 99 connection. The executable ncx99.exe acts like a telnet server which is running on port 99. The executable is just a altered netcat which does not need any switches or options. With the help of the standard executable netcat with the following option can do the same like
nc -l -p 99 -t -e cmd.exe
This command passes information to the netcat which asks it to listen to port99 and on receiving a connection it executes cmd.exe. This will open a telnet server on port99 which requires no authentication. When the hacker gets the command line access, he can download other codes such as getadmin.exe or other codes which gives the administrative level access. There are a few binaries which add a particular user to the administrator group or it allows any user to execute the commands with administrative level rights. Most of these exploits works well with windows 2000SPI machine. The three main targets of the hackers are data integrity, confidentiality and availability. The attackers delete the logs and turns off auditing in order to hide their attacks,
PROTECTING THE SYSTEM:
Updating the patches on the server is the best method to protect the system. Microsoft issued a patch in the year 2001 which solved the problem. But the patch was actually released to solve file permissions problem. Microsoft released security bulletin MS00-078 " Web Server Folder Transversal" which warned about the problem. It explained that the patch MS00-057 " File Permission Canonicalization" fixed the problem. This patch can be applied if the web server is vulnerable. It is vital to follow the bulletins and patches released by the Microsoft.