Original release date: May 08, 2001<BR>
Last revised: May 10, 2001<BR>
Source: CERT/CC<BR>
<P>A complete revision history is at the end of this file.
<A NAME="affected">
<H3>Systems Affected</H3>
<ul>
<li>Systems running unpatched versions of Microsoft IIS</li>
<li>Systems running unpatched versions of Solaris up to, and including, Solaris 7</li>
</ul>
<A NAME="overview">
<H2>Overview</H2>
<P>
The CERT/CC has received reports of a new piece of self-propagating
malicious code (referred to here as the sadmind/IIS worm). The worm
uses two well-known vulnerabilities to compromise systems and deface
web pages.
</P>
<P>
<A NAME="description">
<H2>I. Description</H2>
<P>
Based on preliminary analysis, the sadmind/IIS worm exploits a
vulnerability in Solaris systems and subsequently installs software to
attack Microsoft IIS web servers. In addition, it includes a component
to propagate itself automatically to other vulnerable Solaris
systems. It will add "+ +" to the .rhosts file in the root user's home
directory. Finally, it will modify the index.html on the host Solaris
system after compromising 2,000 IIS systems.
<P>
To compromise the Solaris systems, the worm takes advantage of a two-year-old
buffer overflow vulnerability in the Solstice sadmind program. For more
information on this vulnerability, see
<DL><DD>
<A HREF="http://www.kb.cert.org/vuls/id/28934">http://www.kb.cert.org/vuls/id/28934</A>
</DD>
<DD>
<A HREF="http://www.cert.org/advisories/CA-1999-16.html">http://www.cert.org/advisories/CA-1999-16.html</A>
</DL>
<P>
After successfully compromising the Solaris systems, it uses a seven-month-old
vulnerability to compromise the IIS systems. For additional information about
this vulnerability, see
<DL><DD>
<A HREF="http://www.kb.cert.org/vuls/id/111677">http://www.kb.cert.org/vuls/id/111677</A>
</DL>
<P>
Solaris systems that are successfully compromised via the worm exhibit the following characteristics:
<P>
<ul>
<LI><pre>
Sample syslog entry from compromised Solaris system
<SMALL>May 7 02:40:01 carrier.example.com inetd[139]: /usr/sbin/sadmind: Bus Error - core dumped
May 7 02:40:01 carrier.example.com last message repeated 1 time
May 7 02:40:03 carrier.example.com last message repeated 1 time
May 7 02:40:06 carrier.example.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped
May 7 02:40:03 carrier.example.com last message repeated 1 time
May 7 02:40:06 carrier.example.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped
May 7 02:40:08 carrier.example.com inetd[139]: /usr/sbin/sadmind: Hangup
May 7 02:40:08 carrier.example.com last message repeated 1 time
May 7 02:44:14 carrier.example.com inetd[139]: /usr/sbin/sadmind: Killed</SMALL>
</pre></LI>
<li>A rootshell listening on TCP port 600</li>
<P>
<li>Existence of the directories</li>
<ul>
<li>/dev/cub <i>contains logs of compromised machines</i></li>
<li>/dev/cuc <i>contains tools that the worm uses to operate and propagate</i></li>
</ul>
<p>
<li>Running processes of the scripts associated with the worm, such as the
following:</li>
<ul>
<li>/bin/sh /dev/cuc/sadmin.sh</li>
<LI>/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111</li>
<li>/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80</li>
<li>/bin/sh /dev/cuc/uniattack.sh</li>
<li>/bin/sh /dev/cuc/time.sh</li>
<li>/usr/sbin/inetd -s /tmp/.f</li>
<li>/bin/sleep 300</li>
</ul>
</ul>
<P>
Microsoft IIS servers that are successfully compromised exhibit the
following characteristics:
<P>
<ul>
<li>Modified web pages that read as follows:
<pre>
fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
</PRE>
</li>
<li>
<pre>
Sample Log from Attacked IIS Server
<SMALL>2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 -
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
GET /scripts/../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
GET /scripts/root.exe /c+echo+<HTML code inserted here>.././index.asp 502 -</SMALL>
</pre></li>
</ul>
<A NAME="impact">
<H2>II. Impact</H2>
<P>
Solaris systems compromised by this worm are being used to scan and
compromise other Solaris and IIS systems. IIS systems compromised by
this worm can suffer modified web content.
<P>
Intruders can use the vulnerabilities exploited by this worm to
execute arbitrary code with root privileges on vulnerable Solaris
systems, and arbitrary commands with the privileges of the
IUSR_<i>machinename</i> account on vulnerable Windows systems.
<P>
We are receiving reports of other activity, including one report of
files being destroyed on the compromised Windows machine,
rendering them unbootable. It is unclear at this time if this
activity is directly related to this worm.
<A NAME="solution">
<H2>III. Solutions</H2>
<H4>Apply a patch from your vendor</H4>
<P>A patch is available from Microsoft at<BR>
<DL><DD>
<A HREF="http://www.microsoft.com/technet/security/bulletin/MS00-078.asp">http://www.microsoft.com/technet/security/bulletin/MS00-078.asp</A>
<P>For IIS Version 4:<BR>
<A HREF="http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp">http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp</A>
<P>For IIS Version 5:<BR>
<A HREF="http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp">http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp</A>
</DL>
<P>Additional advice on securing IIS web servers is available from
<dl><dd>
<A HREF="http://www.microsoft.com/technet/security/iis5chk.asp">http://www.microsoft.com/technet/security/iis5chk.asp</a><BR>
<A HREF="http://www.microsoft.com/technet/security/tools.asp">http://www.microsoft.com/technet/security/tools.asp</a>
</dl>
<P>
Apply a patch from Sun Microsystems as described in Sun Security Bulletin #00191:
<P>
<DL><DD>
<A HREF="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba">
http://sunsolve.sun.com/pub-cgi/retrieve.pl? doctype=coll&doc=secbull/191&type=0&nav=sec.sba</A>
<P>
</DL>
<A NAME="vendors">
<H2>Appendix A. Vendor Information</H2>
<A name="microsoft">
<H3>Microsoft Corporation</H3>
<P>
The following documents regarding this vulnerability are available
from Microsoft:<BR>
<DL><DD>
<A HREF="http://www.microsoft.com/technet/security/bulletin/MS00-078.asp">
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp</A>
</DL>
<A NAME="Sun">
<H3>Sun Microsystems</H3>
<P>
Sun has issued the following bulletin for this vulnerability:
<DL><DD>
<A HREF="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba">
http://sunsolve.sun.com/pub-cgi/retrieve.pl? doctype=coll&doc=secbull/191&type=0&nav=sec.sba</A>
</DL>
</P>
<H2>References</H2>
<ol>
<A NAME=ref1></a>
<li><i>Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url (MS00-078)</i> <A HREF="http://www.kb.cert.org/vuls/id/111677">http://www.kb.cert.org/vuls/id/111677</a></li>
<li><i>CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind</i><br><A
HREF="http://www.cert.org/advisories/CA-1999-16.html">http://www.cert.org/advisories/CA-1999-16.html</A></li>
</ol>
<P>
<A HREF="mailto:cert@cert.org?subject=CA-2001-11%20Feedback%20CERT%2326370">Authors</A>:
Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter, Art Manion, Ian Finlay, John Shaffer
<P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2001 Carnegie Mellon University.</P>
<P>Revision History
<PRE>
May 08, 2001: Initial Release
May 08, 2001: Formatting change to improve printing
May 08, 2001: Correct link in the vendor section to point to the correct Microsoft Bulletin.
Our apologies to Microsoft for the error.
May 10, 2001: Changed sanitized logs to example.com
</PRE>
|