[Snort-sigs] WEB-IIS _mem_bin access SID 1286

Justan Lee justanlee at ...12...
Tue May 7 08:48:07 EDT 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
WEB-IIS _mem_bin access

--
Sid:
1286

--
Summary:
This can be an attempt to gain local user privileges on a webserver, or 
attempt to retrieve information not typically available for public access 
such as default AUO (LDAP) schema and LDAP user password reminders.

--
Impact:
Microsoft IIS

Two areas of impact:
(comment: part 1 is probably covered under other signatures, but since it is 
the most common use of _mem_bin attacks, I have included it. Really, you 
never see an attack mentioned in part 2 - but it's not impossible ;)
1. Intruders can be execute commands remotely on the webserver
2. Intruders can leak information via pages installed in \wwwroot\_mem_bin 
by MS Site Server 3.0

--
Detailed Information:
(comment: This info probably will be covered in other signatures (such as 
cmd.exe or root.exe access))
1. Commands can be executed remotely on the webserver
IIS had 2 major bugs that allowed commands to be executed remotely on the 
webserver. Intruders could gain local user permission by using a superfluous 
decoding vulnerability in IIS. The _mem_bin directory is selected as part of 
the attack, because it has a likelihood of being present (installed by MS 
Site Server) and could be used to escape out of \wwwroot\. More importantly 
it may have less strict permission than standard folders in \wwwroot\. Other 
folders that have been used, which may also have lax permission are 
/_vti_bin, /scripts and /msadc.

2. Leak information from the webserver
Systems with Site Server version 3.0 with SP3 (and prior) and NT5 SP5 are 
vulnerable
Systems with Site Server Commerce Edition are vulnerable

For a description of this type of intrusion see:

Security considerations to keep in mind when using Site Server 3.0 
http://www.securiteam.com/windowsntfocus/5FP020K6AW.html

RFP2201: MS Site Server Evilness 
http://www.wiretrip.net/rfp/p/doc.asp/i6/d69.htm

--
Attack Scenarios:

1. Execute commands remotely - can be any command, but cmd.exe is common to 
test if a system is vulnerable, or already compromised

GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe

Will be translated insecurely in unpatched versions of IIS to:

GET /_mem_bin/..\../..\../..\../winnt/system32/cmd.exe


2. Leak Information
GET /_mem_bin/auoconfig.asp
GET /_mem_bin/remind.asp

--
Ease of Attack:
Both types of attack are quite simple.

The attempt to execute commands remotely is typically Nimda and Code Red 
worms scanning routinely for vulnerable machines. The attempt to leak 
information is slightly more esoteric, with the information gained possibly 
only useful to a more advanced intruder.

--
False Positives:
Both relate to IIS.
For the leak information:
  You are using Site Server 3.0 with better than SP3.
  You are not using Active Server 3.0, and do not have the _mem_bin 
directory in \wwwroot\ (on any service)

For the attempt to execute a command remotely, this False Positives apply to 
unpatched IIS only.
--
False Negatives:

--
Corrective Action:
If you are using Site Server 3.0 - patch with the latest offering from 
Microsoft. Remember to re-apply SP6a on NT machines, and the IIS security 
roll-up patch. If you do not use /_mem_bin/auoconfig.asp or 
/_mem_bin/remind.asp, they can be removed.

If you are not using Site Server 3.0 - remove /_mem_bin from \wwwroot\ if it 
exisits.

Everyone using IIS should ensure they have the latest IIS Security roll-up 
from Microsoft, it is also a very good idea to run the IIS lockdown tool 
from Microsoft. Check your IIS log files. If they have been tampered with, 
or are missing, or you see successful attempts to execute commands remotely, 
such as commands to copy files, and run tftp your system has been 
compromised. A system wipe followed by a fresh install is the only way to be 
certain of removing any backdoors placed by the intruder. This is a very 
serious issue.
--
Contributors:
Justan Lee
--
Additional References:
CERT Advisory CA-2001-26 Nimda Worm 
http://www.cert.org/advisories/CA-2001-26.html
CERT Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS 
http://www.cert.org/advisories/CA-2001-12.html


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





More information about the Snort-sigs mailing list