|
HTTP URL with double-encoded ../ |
|
|
|
| FAQ | |||
|
|
SummaryA suspicious access to the web server was detected, probably due to an attempted intrusion via the Microsoft "Superfluous Decoding" vulnerability.
Details
The most popular technique hackers use to break into web-servers is through "data driven" attacks. The web-server is just a "front-end" that passes requests through to the back-end system. Attackers attempt to "drive" data through the front-end in order to compromise the back-end.
In order to combat attackers, web-servers will attempt to clean up input before executing a request. For example, when presented with a request that looks like "foo/bar/../index.html", the web-server will convert it to the proper "foo/index.html" before executing the request. Removing the ".." parts of the URL are an important security measure. Most attacks against web-servers involve adding too many "../../.." components to the filename, breaking out of the disk reserved for the web-server, allowing the intruder to read or execute other files.
Web-servers will also interpret "URL-encoding". A URL encoding expresses the binary values of data as hex characters. The binary value of "/" can be represented by the hex URL encoding of "%5C". Therefore, when presented with a request that looks like "foo%5Cindex.html", the web-server will translate it into "foo/index.html".
Microsoft's IIS (Internet Information Server) web-server software will incorrectly translate the "URL-encoding" twice, but only check for directory traversal/climbing after the first translation. This allows a server to easily be compromised. This is a major problem; any who uses Microsoft's IIS (or the personal version) should immediately upgrade their systems.
Example
An example attack looks like the following URL:
http://example.com/Scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+\
This example will obtain a directory listing of the root directory. It works through the following steps. The hex encoding "%25" results in the "percent" character "%". The first URL-encoding translation therefore converts the URL into one that looks like:
http://example.com/Scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+dir+\
The directory traversal/climbing attempts to resolve any strings that look like "..\..". It fails to find any.
The input then erroneously goes through a second URL-encoding translation, resulting in the following URL:
http://example.com/Scripts/..\..\winnt/system32/cmd.exe?/c+dir+\
On most Windows servers, the "Scripts" directory maps to "C:\inetpub\Scripts". This is an "executable" directory: rather than reading the file, the server will attempt to run it as a program. Therefore, the server will attempt to run:
C:\inetpub\Scripts\..\..\winnt/system32/cmd.exe /C dir \
At this point, the underlying Windows operating system will be compromised by the directory-climbing part of the attack, and will execute the following command:
C:\winnt\system32\cmd.exe /C dir \
The program "cmd.exe" will then execute, which will in turn execute the command specified on the command line, which is;
dir \
The end result will be to list the files in the root directory of the server. However, the attacker could run much more dangerous commands, such as those to deface the web-site or upload their own hacker utilities.
Defense
If you own a web-server that the public can access, you must keep abreast of the latest patches from the vendor. In this case, if you run IIS, you must keep abreast of the latest patches from Microsoft. These can be found at:
http://www.microsoft.com/security
You can also sign up for e-mail alerts from Microsoft.
Microsoft has extensive guidelines for securing an IIS server. One part of the guidelines is to remove programs like "cmd.exe" so that they cannot be accessed by the IIS software. Servers that have been installed using these guidelines are virtually impossible to break into via this attack.
The IDS triggers on this alert when the URL decoding engine detects a doubly-encoded character as part of a directory traversal/climbing string.
False positives
There should be no false positives under normal conditions. Note that because of the importance of this attack, it has become part of standard web-site scanning hacker tools. Therefore, you will likely see this attack as part of a reconnaissance attack against your web-server. This does not necessarily indicate that the system has been compromised.
| more information |
|
Version appeared: 2.5