Well, "The scan of the month" excercise for have had it's deadline, so now i
can present my findings.

So; here is my submission.

There are other great submissions at http://project.honeynet.org/scans/scan12/
some bring up a point i forgot; the OS->IP fingerprints for instance, that's
pretty cool, so i suggest you check it out.

Regards,
Glenn

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

To: project@honeynet.org

Hi.

This is my submission for "Scan12" or Scan Of the month for february.

Regards,

Glenn "Ichinin" Larsson

(Security researcher)
Vasteras
Sweden

[Ichinin{at}suespammers{dot}org]
_____________________________________________________________________________

### QUESTION 1:  What is the operating system of the honeypot, how do you know?

->      Most likely Windows NT 4.0, runniinng IIS 4.0
        How i know? Well IIRC, Win2K & NT5 (beta) was shipped with IIS5.0
        (But then... it MAY be a vmware emulation of Nt 4.0 :o)


### QUESTION 2:  What is the name of this attack?

->      To my best findings:
	IIS Extended UNICODE Directory Traversal Vulnerability
	( http://www.securityfocus.com/bid/1806 )


### QUESTION 3:  What is the attack attempting to accomplish?

->	This particular method is attempting ttoo list files, but
	it is possible to retrieve files, move files, delete files
	or even start/stop services.

### QUESTION 4:  How does the attack work?

->      It utilises unicode to make the IIIIS parser fail.


BONUS QUESTION:  Is it possible to gain remote control of the system
                 using this technqiue?  If so, how?

->      Probably as simple as opening up  aa telnet session to the remote
	HTTP service, and executing the following HTTP requests:


        "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+net+user+ROOT+/add"
        "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+net+localgroup+administrators+ROOT+/add"

	Now you should have an administrative account (ROOT) that has a blank ("") password.

        (Both of these HTTP Requests are untested, but should work
	 according to the security advisory, lines wrapped for readbility.)

	Also, as the refered to advisory explain, a TFTP server can be installed on
	another server and the TFTP.EXE command can be used to retrieve a backdoor
	or other services.

Note:

The above exploit is pretty pointless(!) the intruder already can do whatever they
want with the system, and twiddeling with such things as account (or policy) changes
can cause alarms (other than the IDS) to fire which would be a stupid thing to do by
an intruder. I assume that the event was created by an unnamed remote vulnerability
scanner.

Microsoft have a security bulletin available here:

	http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp

A fix is available from:


http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
	(Referred to as "Web Server Folder Traversal")