New backdoor - Trojan.Kaht - exploits WebDav vulnerability

Published: 2003-05-08
Last Updated: 2003-05-08 18:04:35 UTC
by Handlers (Version: 1)
0 comment(s)
Trojan.Kaht is a Hacktool used by its creator to scan for and exploit
the vulnerability of the Microsoft WebDAV server, running IIS 5.0. An individual who successfully exploits this vulnerability may completely control an affected Web server.

The IIS WebDAV uses a core Windows system component, ntdll.dll,
containing an unchecked buffer when processing the incoming WebDAV requests. Trojan.Kaht scans for the vulnerable Microsoft WebDAV (IIS 5.0) server, by sending a specially formatted WebDAV HTTP request to the server.

If the server is vulnerable, the Trojan creates a script file, kaht.html, on the compromised system. Then, the Trojan adds a user, "KaHT," to the administrator group and spawns a shell. This action gives the Trojan's creator complete control of the system.

-----

contributed by Deborah Hale. haled@pionet.net

feedback please to isc@sans.org


Keywords:
0 comment(s)

Comments


Diary Archives