PUT requests and Using Web Server Logs, trillian exploit, sudo exploit.

Published: 2004-09-21. Last Updated: 2004-09-22 02:22:16 UTC
by Cory Altheide (Version: 1)
0 comment(s)
"PUT" Followup

The 'PUT' requests we posted about yesterday have now been linked
to a defacement crew. As mentioned yesterday, make sure you disable
'PUT', or if you use it, secure it sufficently.

Web Server Error Log Patterns

Based on our note about web site defacement attempts using 'PUT'
requests, we received a couple of reports about various odd web server
log entries. Monitoring these entries is important and a web server
log can provide many of the information traditionally provided by an
intrusion detection system. While incomplete, here a couple of common
patterns:

(a) spam relays.

There are a number of commonly installed cgi scripts that can be used
to relay spam. Among others, these are formmail.pl,rt_response.cgi,
friends.cgi,backcon_sales.cgi, mt-send-entry.cgi (there are many more)

(b) Unicode exploits.
Old versions of IIS do not decode unicode correctly. As a result, the
right URL may allow traversal of your system files and execution of
commands via the 'script' url. Most commonly, these requests are caused
by the Nimda worm. Typical requests:
/_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe

(c) Buffer overflows.
Various web servers can be tricked into executing arbitrary code by
triggering buffer overflows. Typically, the requests stick out because
they use long URLs in various shapes to trigger the overflow. As a
sample the famous Code Red request:

GET /default.ida?NNNNNNN...NNNNNNNN%u9090%u6858

or more recently the WebDav 'search' exploit:
SEARCH /AAAAAAAAAAAAAAAANNNNNNNNNNNN....

(both log entries abbreviated)

(d) SQL injection / script exploits

SQL injection typically attempts to insert quotes to terminate the
SQL statement and start a new (malicious) command. For example:
GET somescript.php?param=test'%20or%201=1

(e) Cross Site Scripting

In its simples form, you will see the string '<script>' included
in the URL. However, this may be obfuscated using URL encoding. Again,
overly long (and just plain weird looking) URLs will show whats going
on. Since XSS is usually used against a valid URL, you will not see
an entry in your error log, and even if you are not vulnerable, you
will see a '200' code or similar.

Lesson of the day:

Most of these exploit attempts are 'harmless' for a well maintained web
site. They do attempt to exploit older faults of standardized scripts.
In order to detect more targeted attacks, consider the following:

Many times, as part of standard recognizance prior to an attack, the
attacker will download the 'robots.txt' file, to look for URL that
should not be indexed by search engines. Inexperienced sysadmins will
use this technique to 'hide' administrator pages. The attacker will
then use the 'robots.txt' file as a guide to launch their attack.

Add a fake "admin page" to your robots.txt "disallow" section. If you
are using a web scripting language like php, have it send you an e-mail
whenever this fake admin page is accessed. This will provide an instant
IDS to alert you of anyone poking around in areas they shouldn't.

Trillian Exploit

An exploit has been released against the popular instant messenger client
'trillian'. It is written to exploit the MSN module vulnerability in Trillian version 0.74i

sudo vulnerability

sudo version 1.6.8 may provide a local attacker with super user (root) access to files.

----------

Johannes Ullrich, jullrich'&at&sans.org (filling in for Cory today)
Keywords:
0 comment(s)

Comments


Diary Archives