Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-05-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New backdoor - Trojan.Kaht - exploits WebDav vulnerability

Published: 2003-05-08
Last Updated: 2003-05-08 18:04:35 UTC
by Handlers (Version: 1)
0 comment(s)
Trojan.Kaht is a Hacktool used by its creator to scan for and exploit
the vulnerability of the Microsoft WebDAV server, running IIS 5.0. An individual who successfully exploits this vulnerability may completely control an affected Web server.

The IIS WebDAV uses a core Windows system component, ntdll.dll,
containing an unchecked buffer when processing the incoming WebDAV requests. Trojan.Kaht scans for the vulnerable Microsoft WebDAV (IIS 5.0) server, by sending a specially formatted WebDAV HTTP request to the server.

If the server is vulnerable, the Trojan creates a script file, kaht.html, on the compromised system. Then, the Trojan adds a user, "KaHT," to the administrator group and spawns a shell. This action gives the Trojan's creator complete control of the system.

-----

contributed by Deborah Hale. haled@pionet.net

feedback please to isc@sans.org


Keywords:
0 comment(s)
Diary Archives