The IIS configuration file backdoor

The content of the text is how to use the characteristics of IIS itself to build a back door. Of course, this is mainly a "Know Your Enemy" document for network administrators and network security staff. The author hopes that this article will help to check and clear the back door, and does not encourage or agree to use this article. Skills for illegal activities.

First, let's briefly introduce the IIS configuration file MetaBase.bin. This file is located in %SystemRoot%\\system32\\inetsrv\\MetaBase.bin and contains configuration information for almost all IIS. It is a very important system file. Simply put, everything we set in the "intenet service manager" will eventually be saved in MetaBase.bin. In addition to the operation of MetaBase.bin through the "intenet service manager" in daily system management, Windows also provides a script adsutil.vbs to operate on MetaBase.bin.

MetaBase's structure is similar to the registry, it is also a tree structure, with the concept of similar keys, values, and items. In fact, in IIS3 and PWS, the content of MetaBase is stored in the registry. MetaBase has two primary keys: LM and Schema. Among them, Schema saves some default configuration of the system, usually does not need to be modified, once it is wrong, it is very dangerous, so neither the "intenet service manager" nor adsutil.vbs provide the mechanism to modify the schema. LM contains configuration information for IIS's HTTP service, FTP service, and SMTP service. Among them, LM/W3SVC/is the configuration information of the HTTP service we want to use.

A few of the values ​​mentioned below:

LM/W3SVC/InProcessIsapiApps, ISAPI is started in-process. This is an array containing a set of paths to some ISAPIs. The ISAPI in this array is started directly by inetinfo.exe and inherits the local system permission of inetinfo.exe. The ISAPI is not started by the dllhost.exe process derived from svchost.exe. The identity is IWAM_NAME. Of course, this is the default security level of IIS. If it is set to low, then all ISAPIs will be derived directly from inetinfo.exe. In addition, if you do not specify a path when you set it, but only specify an extension, the ISAPI of the same name in any path will be executed with system privileges when it is called.

ScriptMaps, script mapping. After the value is set in a directory, the file with the specific extension requested from the directory is given to the specified ISAPI for execution. It should be emphasized that the directory for setting ScriptMaps does not have to exist. As long as a subkey is created under the root key of an HTTP instance in MetaBase, the HTTP request for the same name of the word key will be considered legal. And will be handled by the mapped ISAPI. This is also a problem with IIS.

CreateProcessAsUser, specified in a directory to change the value to 0, the application under the directory will inherit the local system permissions of inetinfo.exe.

AccessWrite determines whether a directory is allowed to be written, that is, the PUT method of WEBDAV.

AccessExecute determines whether a directory is allowed to execute an application.

Backdoor Ideas:

Create a script map with a specific extension, point to our ISAPI, and add the ISAPI to the InProcessIsapiApps list. Then when we request the extension type file from the server, the ISAPI will be executed on the server with the local system permission, and the requested file does not need to be real.

Tips:

1. Since you don't really need to create a directory to set up ScriptMaps, you can just write a key and add ScriptMaps to the key. In this way, the directory is not visible from the "intenet service manager", and the ScriptMaps are not visible.

2, although the "intenet service manager" can not be seen inside, but experienced administrators may be used to occasionally use adsutil.vbs enum /p to look at:

# adsutil. Vbs enum /p /w3svc/1/root
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. all rights reserved.

[/w3svc/1/root/_vti_bin]
[/w3svc/1/root/evildir]

This is exposed.

Because the key we set is not a real virtual directory, just a string in the configuration file, so you can use a character like 0x08 to do the key value. 0x08 is the hexadecimal value corresponding to the Backspace key. The effect displayed on the console is to delete a character to the left. In fact, the "/" is deleted:

# adsutil.vbs enum /p /w3svc/1/root
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. all rights reserved.

[/w3svc/1/root/_vti_bin]
[/w3svc/1/root]

In the face of this output, the average person will not pay attention.

Of course, it can be set to a name like _vti_script, _vti_bin, as long as there is no KeyType, it is invisible in the "intenet service manager".

Because there is a \\WINNT\\System32\\msw3prt.dll in the system itself, InProcessIsapiApps is a .printer mapping, generally not used. We can delete the value of D:\\WINNT\\System32\\msw3prt.dll and replace it with \\WINNT\\System32\\inetsrv\\msw3prt.dll.

3, the fly in the ointment is that HTTP requests will leave traces, but HTTP is also good, that is, you can use a proxy server to do the springboard. In addition, you can also use the method of inserting 0x0D 0x0A to forge the log. (For details, see "Apache, IIS and other http servers allow fake logs by sending carriage returns") This is the technique for constructing directories.

Concrete implementation:

Of course, you can use adsutil.vbs to add manually. However, it should be noted that adsutil.vbs can only be set, can not be changed, so when you use adsutil.vbs, you must also add the original, otherwise the original will be lost. Different entries are separated by spaces.

First use the following command to get the current list of InProcessIsapiApps:
adsutil.vbs get /W3SVC/InProcessIsapiApps

After adding, add your own ISAPI path.
adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\\WINNT\\System32\\idq.dll" "C:\\WINNT\\System32\\inetsrv\\httpext.dll" ..................

ScriptMaps is set up with InProcessIsapiApps.

Of course, this is more troublesome, and it is impossible to write a key value such as 0x08, so I simply write a VBS at a time. As for the ISAPI that does the backdoor, the functions that can be achieved depend entirely on the imagination. Here is a simple example screen copy:

# nc 10.11.0.26 80
POST /%08/anything.tom

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1998 Microsoft Corp.

C:\\WINNT\\system32>whoami
NT AUTHORITY\\SYSTEM

C:\\WINNT\\system32>exit
HTTP /1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 08 Jan 2003 06:49:37 GMT

The more subtle way is to write a special ISAPI and register as Parse asp. Normally, the program forwards the received request to the original asp.dll of the system, and returns the result. When it receives a special POST request, it starts its own backdoor code, so there is no display in the log. It is also difficult to find when reviewing.

In addition to the above method of using script mapping, you can also give a virtual directory AccessWrite and AccessExecute permissions. When you need to run the back door, use WEBDAV to upload ISAPI, then run it, and then delete it after use. (Is it possible to delete? Still need to restart W3SVC? I have not tested.) If the upload is not a DLL but an EXE file, then the CreateSystemAsUser in this directory can be set to 0 to get the local system permission. This method has been written. However, changes to AccessWrite and AccessExecute can be seen in the "intenet service manager", and the concealment is poor.