Re: www.google.com reference in directory-traversal attack

From: Chris Ess <azarin(at)tokimi.net>
Date: Mon Jul 14 2003 - 16:56:50 EDT

> I've included a link to a tcpdump taken that shows a standard IIS

Okay. I'm going to make a guess here.

The GET string, excerpted below, indicates that it is using HTTP/1.1: GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1

(Pretty nice URL by the way.)

In order to make a valid HTTP/1.1 request, you have to specify a host name (I think the proper terminology is 'host header') for the request. I'm guessing that whoever devised this tool decided to just throw in 'www.google.com' as a host header. Under IIS, if you specify a host name that is not configured, it falls back on the first virtual host that is configured for the IP. So by specifying 'www.google.com', they pretty much guarantee that they will fall to the first host -- and on a default IIS install, this will be the default web site which lives under c:\inetpub\wwwroot

So this is my armchair one minute guess-analysis. Hope it helps somewhat.

Sincerely,

Christopher Ess
System Administrator / CDTT (Certified Duct Tape Technology)

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Tue Jul 15 14:37:41 2003