Taken from the Microsoft bulletin - "Could an attacker use the vulnerability to take control of the ISA server? No. This is a denial of service attack only. There is no capability to usurp any administrative privileges. Could an attacker use the vulnerability to breach the security of the firewall? No. There is no capability to use this vulnerability to lower the security the firewall provides. It can only be used to prevent the Web Proxy service from passing any data at all. " Hmm I beg to differ.. after reading the advisory provided by the SecureXpert team I decided to look for myself. Going by the info they provided and a few slight buffer modifications we found ourselves breaking at this point.. .text:0101D726 mov ecx, [eax] .text:0101D728 push edi .text:0101D729 mov edi, eax .text:0101D72B mov eax, [eax+4] .text:0101D72E push esi .text:0101D72F mov [eax], ecx .text:0101D731 mov [ecx+4], eax .text:0101D734 call ds:LeaveCriticalSection .text:0101D73A mov eax, edi .text:0101D73C pop edi .text:0101D73D pop esi .text:0101D73E retn It takes a bit of register fiddling to get somewhere.. but is certainly do-able. The data at the offset of eax is referencing the tail end of the user buffer sent (2 dwords). You can see by the code that you can now write to any writeable memory location with any data you wish - stored return address, saved exception handler.. whatever. The heap corruption makes exploiting this a slightly random and volatile exercise.. but we've had success getting code executing. That's all, just wanted to prove a point. Also, cash low.. need a new job. dark spyrit/beavuh - doin it for the cause!
This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 01:30:26 PDT