The IIS Directory Transversal Vulnerability is in regards to an improperly
implemented IIS engine, which improperly interprets unicodes (e.g. %c0%9v) and
allows the web client to "transverse" above the webserver's document root
(usually set to c:/inetpub/wwwroot). If you review your logs in
c:\winnt\system32\Logs\W3SVC1 or something like that, you'd discover that an
entry such as
http://<target_host>/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir in the
web browser will be intepreted as
http://<target_host>/scripts/../../winnt/system32/cmd.exe?/c+dir by IIS. The
above line will basically dir your c:/inetpub/scripts directory!!
Imagine what you can do with this!! ...issue a command to format the whole
hardisk!!!!
The dr.exe file you found in the ../scripts directory is probably a re-named
copy of cmd.exe as this makes the intruder's life a little easier and mask the
activities from IDSs.
Anyway, M$ has issued a patch for this under MS00-57 and MS00-78 to address
this vulnerability.
HTH.
Patrick Cheong
Security Specialist
Hitechniaga Sdn Bhd
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Any advice would be much appreciated - a couple of our boxes seem to
> have been exploited using a directory traversal vulnerabiltiy, by
> uploading a file called "dr.exe", and then passing this commands to
> remove files from the box.
>
> I have recovered our logfiles and the data fortunately, and I am still
> examining the log's.
>
> Is this dr.exe thing a known attack, (I can't seem to find anything
> about it).?
>
> The attacked boxes did have all the latest patches applied to them, and
> I double checked this during the code red crisis, and applied any that
> were missing.
>
> Any information would be much appreciated.
>
> Regards
> Lee
> - --
> Lee Evans
> Vital Online Ltd
>
> This message is intended only for the use of the person(s) ("The
> intended recipient(s)") to whom it is addressed. It may contain
> information which is privileged and confidential within the
> meaning of applicable law. If you are not the intended recipient,
> please contact the sender as soon as possible. The views expressed in
> this communication may not necessarily be the views held by Vital
> Online Ltd.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7XpKrhtUFQXeFbZYRAh0mAKCTpYRfp5m/MBHHc/tvYYdxMqf9qQCeNpru
> +QqVQuyw/IhvuMQfwnP7lhc=
> =Zel8
> -----END PGP SIGNATURE-----
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
