Full Version: Zombeez!!!!
Hey I got an alert from NIS indicating an attack was launched "URL_Directory_Traversal" when I did a whois on the eyepee it says it's on MY local network! does anyone know what this means?
hey dude , been a bit busy but i dug up some info for you to read: 
this is a attack used to try and access files/directories on your computer , also used by worms to penetrate and infect webservers , did norton say that it blocked this or that it just detected it...?
if you need to look up an attack that youve detected this is a god place to start from:
http://www.iss.net/security_center/advice/...ons/default.htm
Unicode vulnerability (web server folder traversal)
Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. The Unicode Standard has been adopted by most vendors, including Microsoft. By sending a server a carefully constructed URL containing an invalid Unicode UTF-8 sequence an attacker can force the server to literally ‘walk up and out’ of a directory and execute arbitrary scripts.
This type of attack is also known as the directory traversal attack.
Directory traversal Exploits:
http://www.iss.net/security_center/advice/...603/default.htm
http://www.iss.net/security_center/advice/...645/default.htm
Summary :
It looks like an intruder is trying to read other files from your system (other than the ones you intended to share).
Details
A common bug with web servers is when a hacker specifies a URL that looks something like /../../../foo/bar.txt.
The contents of the website are usually in a subdirectory.
The series of "../.." go up the directory structure, then down to the desired file.
The reason this attack works is because the programmer doesn't double-check the URL to see if it is a valid file in the website.
False Positives
This alert triggers whenever a URL contains a series of ../... Bad links in web-pages on a website can sometimes cause this alert. In this case, it indicates a misconfiguration, rather than an intrusion.
Defense
First, check the URL parameter of the alert to see what the file was the intruder accessed. Then check to see if the intruder successfully accessed the file. If it was a sensitive file, and the attacker was successful, you will need to take appropriate action. For example, if the attacker successfully grabbed the password file, then you will need to change all the passwords.
You should also make sure that the web-server in question is the latest version with the latest security patches applied. Most of these attacks are against "imbedded" web-servers (i.e. web-servers included as part of other products) rather than real web-servers like Apache and IIS.
The most popular technique hackers use to break into web-servers is through "data driven" attacks.
The web-server is just a "front-end" that passes requests through to the back-end system.
Attackers attempt to "drive" data through the front-end in order to compromise the back-end.
In order to combat attackers, web-servers will attempt to clean up input before executing a request. For example, when presented with a request that looks like "foo/bar/../index.html", the web-server will convert it to the proper "foo/index.html" before executing the request. Removing the ".." parts of the URL are an important security measure. Most attacks against web-servers involve adding too many "../../.." components to the filename, breaking out of the disk reserved for the web-server, allowing the intruder to read or execute other files.
Web-servers will also interpret "URL-encoding". A URL encoding expresses the binary values of data as hex characters. The binary value of "/" can be represented by the hex URL encoding of "%5C". Therefore, when presented with a request that looks like "foo%5Cindex.html", the web-server will translate it into "foo/index.html".
Microsoft's IIS (Internet Information Server) web-server software will incorrectly translate the "URL-encoding" twice, but only check for directory traversal/climbing after the first translation. This allows a server to easily be compromised. This is a major problem; any who uses Microsoft's IIS (or the personal version) should immediately upgrade their systems.
Example
An example attack looks like the following URL:
hxxp://example.com/Scripts/..%255c..%255cw...e?/c+dir+\
This example will obtain a directory listing of the root directory. It works through the following steps. The hex encoding "%25" results in the "percent" character "%". The first URL-encoding translation therefore converts the URL into one that looks like:
hxxp://example.com/Scripts/..%5c..%5cwinnt...e?/c+dir+\
The directory traversal/climbing attempts to resolve any strings that look like "..\..". It fails to find any.
The input then erroneously goes through a second URL-encoding translation, resulting in the following URL:
hxxp://example.com/Scripts/..\..\...e?/c+dir+\
On most Windows servers, the "Scripts" directory maps to "C:\inetpub\Scripts". This is an "executable" directory: rather than reading the file, the server will attempt to run it as a program. Therefore, the server will attempt to run:
C:\inetpub\Scripts\..\..\winnt/system32/cmd.exe /C dir \
At this point, the underlying Windows operating system will be compromised by the directory-climbing part of the attack, and will execute the following command:
C:\winnt\system32\cmd.exe /C dir \
The program "cmd.exe" will then execute, which will in turn execute the command specified on the command line, which is;
dir \
The end result will be to list the files in the root directory of the server.
However, the attacker could run much more dangerous commands, such as those to deface the web-site or upload their own hacker utilities.
heres an example using Realplayer , cause they suck :
RMP files are opened without confirmation if a web page uses JavaScript or an IFRAME tag to reference them.
Therefore, it is possible to carry out an attack without further user interaction when the victim visits such a web page.
The RMP file may contain references to a number of files as tags. The file extension determines how RealPlayer handles the file, ie. as audio, video, or a skin file.
If the filename ends with ".rjs", it's assumed to be a skin file and downloaded to a location under the current user's profile folder. For RealOne Player the exact location is:
%USERPROFILE%\Application Data\Real\RealOne Player\skins\file.rjs
An attacker may use "..\" sequences in the file name to cause the skin file to be placed outside this folder.
With a specially crafted filename, an attacker can place an arbitrarily named file with arbitrary contents anywhere on the victim system. Overwriting files isn't possible as RealPlayer asks for confirmation.
To run a desired program, an attacker can for instance place an HTML and EXE file on the victim system by using a single RMP file. The "related info" feature of RealPlayer can be used to automatically open the HTML file, which can then use JavaScript to launch the EXE file. A proof of concept RMP file was created to do this. Use of some unpatched Internet Explorer flaws are required for this exploit.
Another way is simply to place an EXE or other program in the current user's Startup folder to be launched during the next login. The attacker needn't know the login name; a relative path can be used because the default folder for skins is already under the user's profile folder.
windows media player directory traversal.
http://www.securiteam.com/windowsntfocus/5...5FP0B0AA0I.html
this is a attack used to try and access files/directories on your computer , also used by worms to penetrate and infect webservers , did norton say that it blocked this or that it just detected it...?
if you need to look up an attack that youve detected this is a god place to start from:
http://www.iss.net/security_center/advice/...ons/default.htm
Unicode vulnerability (web server folder traversal)
Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. The Unicode Standard has been adopted by most vendors, including Microsoft. By sending a server a carefully constructed URL containing an invalid Unicode UTF-8 sequence an attacker can force the server to literally ‘walk up and out’ of a directory and execute arbitrary scripts.
This type of attack is also known as the directory traversal attack.
Directory traversal Exploits:
http://www.iss.net/security_center/advice/...603/default.htm
http://www.iss.net/security_center/advice/...645/default.htm
Summary :
It looks like an intruder is trying to read other files from your system (other than the ones you intended to share).
Details
A common bug with web servers is when a hacker specifies a URL that looks something like /../../../foo/bar.txt.
The contents of the website are usually in a subdirectory.
The series of "../.." go up the directory structure, then down to the desired file.
The reason this attack works is because the programmer doesn't double-check the URL to see if it is a valid file in the website.
False Positives
This alert triggers whenever a URL contains a series of ../... Bad links in web-pages on a website can sometimes cause this alert. In this case, it indicates a misconfiguration, rather than an intrusion.
Defense
First, check the URL parameter of the alert to see what the file was the intruder accessed. Then check to see if the intruder successfully accessed the file. If it was a sensitive file, and the attacker was successful, you will need to take appropriate action. For example, if the attacker successfully grabbed the password file, then you will need to change all the passwords.
You should also make sure that the web-server in question is the latest version with the latest security patches applied. Most of these attacks are against "imbedded" web-servers (i.e. web-servers included as part of other products) rather than real web-servers like Apache and IIS.
The most popular technique hackers use to break into web-servers is through "data driven" attacks.
The web-server is just a "front-end" that passes requests through to the back-end system.
Attackers attempt to "drive" data through the front-end in order to compromise the back-end.
In order to combat attackers, web-servers will attempt to clean up input before executing a request. For example, when presented with a request that looks like "foo/bar/../index.html", the web-server will convert it to the proper "foo/index.html" before executing the request. Removing the ".." parts of the URL are an important security measure. Most attacks against web-servers involve adding too many "../../.." components to the filename, breaking out of the disk reserved for the web-server, allowing the intruder to read or execute other files.
Web-servers will also interpret "URL-encoding". A URL encoding expresses the binary values of data as hex characters. The binary value of "/" can be represented by the hex URL encoding of "%5C". Therefore, when presented with a request that looks like "foo%5Cindex.html", the web-server will translate it into "foo/index.html".
Microsoft's IIS (Internet Information Server) web-server software will incorrectly translate the "URL-encoding" twice, but only check for directory traversal/climbing after the first translation. This allows a server to easily be compromised. This is a major problem; any who uses Microsoft's IIS (or the personal version) should immediately upgrade their systems.
Example
An example attack looks like the following URL:
hxxp://example.com/Scripts/..%255c..%255cw...e?/c+dir+\
This example will obtain a directory listing of the root directory. It works through the following steps. The hex encoding "%25" results in the "percent" character "%". The first URL-encoding translation therefore converts the URL into one that looks like:
hxxp://example.com/Scripts/..%5c..%5cwinnt...e?/c+dir+\
The directory traversal/climbing attempts to resolve any strings that look like "..\..". It fails to find any.
The input then erroneously goes through a second URL-encoding translation, resulting in the following URL:
hxxp://example.com/Scripts/..\..\...e?/c+dir+\
On most Windows servers, the "Scripts" directory maps to "C:\inetpub\Scripts". This is an "executable" directory: rather than reading the file, the server will attempt to run it as a program. Therefore, the server will attempt to run:
C:\inetpub\Scripts\..\..\winnt/system32/cmd.exe /C dir \
At this point, the underlying Windows operating system will be compromised by the directory-climbing part of the attack, and will execute the following command:
C:\winnt\system32\cmd.exe /C dir \
The program "cmd.exe" will then execute, which will in turn execute the command specified on the command line, which is;
dir \
The end result will be to list the files in the root directory of the server.
However, the attacker could run much more dangerous commands, such as those to deface the web-site or upload their own hacker utilities.
heres an example using Realplayer , cause they suck :
RMP files are opened without confirmation if a web page uses JavaScript or an IFRAME tag to reference them.
Therefore, it is possible to carry out an attack without further user interaction when the victim visits such a web page.
The RMP file may contain references to a number of files as tags. The file extension determines how RealPlayer handles the file, ie. as audio, video, or a skin file.
If the filename ends with ".rjs", it's assumed to be a skin file and downloaded to a location under the current user's profile folder. For RealOne Player the exact location is:
%USERPROFILE%\Application Data\Real\RealOne Player\skins\file.rjs
An attacker may use "..\" sequences in the file name to cause the skin file to be placed outside this folder.
With a specially crafted filename, an attacker can place an arbitrarily named file with arbitrary contents anywhere on the victim system. Overwriting files isn't possible as RealPlayer asks for confirmation.
To run a desired program, an attacker can for instance place an HTML and EXE file on the victim system by using a single RMP file. The "related info" feature of RealPlayer can be used to automatically open the HTML file, which can then use JavaScript to launch the EXE file. A proof of concept RMP file was created to do this. Use of some unpatched Internet Explorer flaws are required for this exploit.
Another way is simply to place an EXE or other program in the current user's Startup folder to be launched during the next login. The attacker needn't know the login name; a relative path can be used because the default folder for skins is already under the user's profile folder.
windows media player directory traversal.
http://www.securiteam.com/windowsntfocus/5...5FP0B0AA0I.html
Thanks for the detailed reply Moore. I figured you guys are VERY busy with all I see going on in this site!
Yeah NIS said that it was outbound FROM my machine to a website and was blocked...but I got NISNAV, Spysweeper,WinPatrol and PW on this machine and I run Spybot S&D once in a while. They don't indicate anything on my machine...very mysterious!
Yeah NIS said that it was outbound FROM my machine to a website and was blocked...but I got NISNAV, Spysweeper,WinPatrol and PW on this machine and I run Spybot S&D once in a while. They don't indicate anything on my machine...very mysterious!
do you have things like javascript and active x enabled, they allow all kinds of exploits to run on your computer , activex especially because it is usually allowed to run from inside your computer unchecked, javascript can also help driveby spyware installs and homepage hijacks , but winpatrol will handle the hijacks no problems a good firewall should take care of the rest , of course you can go to extremes like i do sometimes , but not many people like my kind of security settings lol, SSM is a another thing you should experiment with if you really want to lock your system down.
Hi mOOnman , this info was given to me by Hunter , admin of the Gladiator anti-virus forums...
so do you keep your browser updated if you use MSIE and which version of NIS are you using mate?
--------------------------------------------------------------------------
Attack Signatures for the IDS within NIS
Symantec security products include an extensive database of attack signatures. An attack signature is a unique arrangement of information that can be used to identify an attacker's attempt to exploit a known operating system or application vulnerability. When Intrusion Detection detects an attack signature, it displays a Security Alert.
Currently, the program monitors these exploits:
http://securityresponse.symantec.com/avcenter/nis_ids/
**************************************************8
IE GetObject() problems
--- Georgi Guninski wrote:
Georgi Guninski security advisory #52, 2001
IE GetObject() problems
Systems affected:
Patched IE 6.0, somewhat patched 5.5 Win2K
Risk: High
Date: 1 January 2002
Legal Notice:
This Advisory is Copyright © 2001 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or
distribute parts
of it without the author's written permission.
Description:
IE allows reading local files due to a bug in
GetObject().
Reading local files may lead to executing arbitrary
programs.
Details:
GetObject() has a bad security record -
check »www.guninski.com/browsers.html
The new bug is quite similar to:
»www.guninski.com/getobject1-desc.html
the difference being:
----------------------
a=GetObject("http://"+location.host+"/../../../../../../test.txt","htmlfile");
----------------------
It is funny that Directory Traversal on a http: URL
leads to reading local files.
There are surely a lot more. I found one which gives
local Directory information including user name which
uses Directory Traversal.
Here is the universal location of index.dat:
file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}/../Local%20Settings/Temporary%20Internet%20Files/Content.IE5/index.dat
(There are a lot of URL's like that, they have varying
degrees of success depending on where they are put).
The below object uses that URL, in the alert that pops
up it shows the full file path, ie, C:\Documents and
Settings\UserName\Local Settings\Temporary Internet
Files\Content.IE5 under the "Location" parameter
value.
setTimeout("alert(funObject2.document.body.innerHTML)",500);')">
Workaround/Solution:
Disable Active Scripting and never turn it on.
Better, do not use IE in hostile environments such
as the internet.
Vendor status:
Microsoft was notified on 11 December 2001.
They had 3 weeks to produce a patch but didn't.
Regards,
Georgi Guninski
»www.guninski.com
so do you keep your browser updated if you use MSIE and which version of NIS are you using mate?
--------------------------------------------------------------------------
Attack Signatures for the IDS within NIS
Symantec security products include an extensive database of attack signatures. An attack signature is a unique arrangement of information that can be used to identify an attacker's attempt to exploit a known operating system or application vulnerability. When Intrusion Detection detects an attack signature, it displays a Security Alert.
Currently, the program monitors these exploits:
http://securityresponse.symantec.com/avcenter/nis_ids/
**************************************************8
IE GetObject() problems
--- Georgi Guninski wrote:
Georgi Guninski security advisory #52, 2001
IE GetObject() problems
Systems affected:
Patched IE 6.0, somewhat patched 5.5 Win2K
Risk: High
Date: 1 January 2002
Legal Notice:
This Advisory is Copyright © 2001 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or
distribute parts
of it without the author's written permission.
Description:
IE allows reading local files due to a bug in
GetObject().
Reading local files may lead to executing arbitrary
programs.
Details:
GetObject() has a bad security record -
check »www.guninski.com/browsers.html
The new bug is quite similar to:
»www.guninski.com/getobject1-desc.html
the difference being:
----------------------
a=GetObject("http://"+location.host+"/../../../../../../test.txt","htmlfile");
----------------------
It is funny that Directory Traversal on a http: URL
leads to reading local files.
There are surely a lot more. I found one which gives
local Directory information including user name which
uses Directory Traversal.
Here is the universal location of index.dat:
file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}/../Local%20Settings/Temporary%20Internet%20Files/Content.IE5/index.dat
(There are a lot of URL's like that, they have varying
degrees of success depending on where they are put).
The below object uses that URL, in the alert that pops
up it shows the full file path, ie, C:\Documents and
Settings\UserName\Local Settings\Temporary Internet
Files\Content.IE5 under the "Location" parameter
value.
setTimeout("alert(funObject2.document.body.innerHTML)",500);')">
Workaround/Solution:
Disable Active Scripting and never turn it on.
Better, do not use IE in hostile environments such
as the internet.
Vendor status:
Microsoft was notified on 11 December 2001.
They had 3 weeks to produce a patch but didn't.
Regards,
Georgi Guninski
»www.guninski.com
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.