Security Incidents mailing list archives
Re: Some details in a recent NT hack we encountered
From: Matt Scarborough <vexversa () USA NET>
Date: Mon, 26 Feb 2001 03:32:08 EST
On Sun, 25 Feb 2001 22:21:11 -0700, Ron Grove <rgrove () HOTMAIL COM> wrote:
I don't know exactly where he got SYSTEM access, but I expect somehow through dl.exe?
Regis this is my final answer. This is a better answer than I gave before. This all goes back to the UNICODE exploit as point of entry. A site vulnerable to UNICODE exploit is likely vunerable to this kit. IIS4 on NT4 ran E.ASP as Local System. This is by design (seriously.) E.ASP was a WSH file that when launched wrote DL.BAT, launched a command shell, and ran DL.BAT In the E.ASP example you gave adding this line tf.WriteLine("CMD /C DumpTokenInfo.exe >dump.txt") will add CMD /C DumpTokenInfo.exe >dump.txt to DL.BAT and give us the process token when that line is executed via IIS (when E.ASP is requested remotely from a web browser and runs WSH.) Provided of course for testing we throw DumpTokenInfo.exe into C:\INETPUB\SCRIPTS\ first, from Dump.txt we get Token Owner: BUILTIN\Administrators - Alias Token Primary Group: NT AUTHORITY\SYSTEM - User Token Default DACL: Access Allowed for: NT AUTHORITY\SYSTEM - User All access Access Allowed for: BUILTIN\Administrators - Alias Token Source: *SYSTEM* Token type: Primary Token Token is not an impersonation token DumpTokenInfo at http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15989 That is how C:\WINNT\system32\os2\dll\new\FireDaemon.exe C:\WINNT\system32\os2\dll\new\login.txt C:\WINNT\system32\os2\dll\new\MMtask.exe C:\WINNT\system32\os2\dll\new\SUD.bak C:\WINNT\system32\os2\dll\new\SUD.exe C:\WINNT\system32\os2\dll\new\cache\cache.idx were created and C:\WINNT\system32\os2\dll\new 's ownership was set to SYSTEM. BTW, SUD.EXE=Serv-U FTP Server MMTask.exe=WinGate 3.0 Engine If you see activity on these ports (probably configurable though, this is a kit) Heads Up! FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 240 MMtask -> 9273 TCP C:\WINNT\system32\os2\dll\new\MMtask.exe 240 MMtask -> 9274 TCP C:\WINNT\system32\os2\dll\new\MMtask.exe 240 MMtask -> 9275 TCP C:\WINNT\system32\os2\dll\new\MMtask.exe 240 MMtask -> 9276 TCP C:\WINNT\system32\os2\dll\new\MMtask.exe 240 MMtask -> 9277 TCP C:\WINNT\system32\os2\dll\new\MMtask.exe 240 MMtask -> 9278 TCP C:\WINNT\system32\os2\dll\new\MMtask.exe 229 SUD -> 19216 TCP C:\WINNT\system32\os2\dll\new\SUD.exe 229 SUD -> 45092 TCP C:\WINNT\system32\os2\dll\new\SUD.exe 240 MMtask -> 1040 UDP C:\WINNT\system32\os2\dll\new\MMtask.exe Matt 2001-02-26 ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
Current thread:
- Some details in a recent NT hack we encountered Ron Grove (Feb 24)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 24)
- <Possible follow-ups>
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Ron Grove (Feb 25)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 27)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 28)