The problem has nothing to do with Tomcat. It has all to do with
IIS and directories that have the execute permission. To better explain,
I'll give an example.
You have your InetPub directory on C:\inetpub. Windows NT is in
C:\WinNT. Your website is stored in C:\inetpub\wwwroot. You also have a
virtual directory set up, named jakarta-tomcat, and points to C:\tomcat.
A hacker will request
http://machine/jakarta-tomcat/../../../WinNT/cmd.exe and pass some commands.
What happened here is that IIS saw the request for the Jakarta-Tomcat
directory and is using those permissions, however its allows the file
reference to use the .. to traverse up a directory level. When you .. above
the root of your web site, IIS allows you to keep going outside of the
Inetpub. The only limitation is that you can't .. to a different drive
letter.
I must say, I haven't seen any Microsoft documentation on this and
what I say here is what I have observed. We were recently hacked with this.
In our case the hackers replaced every file that we had under inetpub with
their own web page and then copied the cmd.exe into the inetpub directory so
that they could run arbitrary code whenever they wanted. Then, they would
use our machines as zombies to participate in DoS attacks on other networks.
They were unsuccessful in replacing our web page because we had moved
wwwroot to somewhere else, but the fact that inetpub was still on the C
drive with WinNT allowed them to use our machine anyways.
By the way, IIS ships with the execute permissions turned on for the
/scripts directory, which is what they used to break our server. To check
for this hack, first check if your web pages are still what you think they
are in the Inetpub directory. Also, you can check your web logs. If you're
like most installations, any requests referencing cmd.exe would be unusual
and, in this case, a good indicator that you were at least scanned (every
machine in our domain had requests, only a few had a configuration that
allowed this hack to happen.
Randy
> -----Original Message-----
> From: Russell, Steve [mailto:[EMAIL PROTECTED]]
> Sent: Friday, July 27, 2001 10:12 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: Warning: Security Hole With IIS & Tomcat
>
>
> Our tomcat directory is C:\Tomcat
>
> Its outside of the inetpub heirarchy, but it is set up in IIS
> as a virtual
> directory with execute permissions open.
>
> Can hackers still exploit the malformed url handling in IIS
> with this set
> up?
>
> Steve Russell
>
> Web Developer III
> ValueOptions - Lifescape
> 703-205-6589
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Randy Layman [mailto:[EMAIL PROTECTED]]
> Sent: Friday, July 27, 2001 9:26 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Warning: Security Hole With IIS & Tomcat
>
>
>
> I would have to say probably not. The exploit that we saw a few
> weeks ago was that you can send IIS a command to go .. outside of the
> inetpub directory (thus going above the root). If you have
> the default
> installation, and inetpub is on the same drive as your WinNT
> partion, it
> allows the hacker to run cmd.exe, from which they can do just
> about whatever
> they want.
>
> The solution to this problem is to have inetpub on a
> different drive
> from your WinNT directory.
>
> Randy
>
> -----Original Message-----
> From: Russell, Steve [mailto:[EMAIL PROTECTED]]
> Sent: Friday, July 27, 2001 9:47 AM
> To: '[EMAIL PROTECTED]'
> Subject: Warning: Security Hole With IIS & Tomcat
>
>
> Hi;
>
> My company is running a jsp site on IIS 5 with windows 2000,
> and all of
> the security patches.
>
>
> We discovered that if we use tomcat or jrun 2.3.3 with IIS that that
> we have to set up the tomcat ( or jrun ) directories as
> virtual directories
> ___with execute permissions turned on__.
>
>
> This got us hacked into.
>
> I don't understand how. It has something to do with how IIS handles
> malformed urls leaving IIS open to attacks if directories
> associated with
> a web site have execute permissions granted.
>
> Does Apache have a similar vulnerability?
>
> Steve Russell
> Web Developer III
> ValueOptions - Lifescape
> 703-205-6589
> [EMAIL PROTECTED]
>
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender by email, delete and destroy this message and its
> attachments.
>
>
> **********************************************************************
>
