Re: Microsoft ISA Server Vulnerability

From: Microsoft Security Response Center (secureat_private)
Date: Fri Apr 27 2001 - 07:54:08 PDT

Next message: Progeny Security Team: "PROGENY-SA-2001-10: Older versions of NEdit make insecure use of temp files"

Previous message: Elias Levy: "Re: Double clicking on innocent looking files may be dangerous"
Maybe in reply to: dark spyrit: "Microsoft ISA Server Vulnerability"
Next in thread: dark spyrit: "Re: Microsoft ISA Server Vulnerability"
Reply: dark spyrit: "Re: Microsoft ISA Server Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi -

You're right that the root problem here is a heap corruption.  The
Knowledge Base article we published on the subject
(http://support.microsoft.com/support/kb/articles/q295/2/79.asp,
"Cause") notes that this is the case.  As part of our investigation, we
examined whether the heap corruption could, in this case, be exploited
to run code, but we were unable to find any way to do so.  If you can
demonstrate an ability to run code via the exploit, please contact us
immediately as we'd be most interested in investigating the issue
further.  Regards,

Scott Culp
Security Program Manager
Microsoft Corporation

-----Original Message-----
From: dark spyrit [mailto:dspyritat_private] 
Sent: Thursday, April 26, 2001 2:17 PM
To: BUGTRAQat_private
Subject: Microsoft ISA Server Vulnerability


Taken from the Microsoft bulletin -

"Could an attacker use the vulnerability to take control of the ISA
server?

No. This is a denial of service attack only. There is no capability to
usurp any administrative privileges.

Could an attacker use the vulnerability to breach the security of the
firewall?

No. There is no capability to use this vulnerability to lower the
security the firewall provides. It can only be used to prevent the Web
Proxy service from passing any data at all. "

Hmm I beg to differ.. after reading the advisory provided by the
SecureXpert team I decided to look for myself. Going by the info they
provided and a few slight buffer modifications we found ourselves
breaking at this point..

.text:0101D726                 mov     ecx, [eax]
.text:0101D728                 push    edi
.text:0101D729                 mov     edi, eax
.text:0101D72B                 mov     eax, [eax+4]
.text:0101D72E                 push    esi
.text:0101D72F                 mov     [eax], ecx
.text:0101D731                 mov     [ecx+4], eax
.text:0101D734                 call    ds:LeaveCriticalSection
.text:0101D73A                 mov     eax, edi
.text:0101D73C                 pop     edi
.text:0101D73D                 pop     esi
.text:0101D73E                 retn

It takes a bit of register fiddling to get somewhere.. but is certainly
do-able.

The data at the offset of eax is referencing the tail end of the user
buffer sent (2 dwords). You can see by the code that you can now write
to any writeable memory location with any data you wish - stored return
address, saved exception handler.. whatever.

The heap corruption makes exploiting this a slightly random and volatile
exercise.. but we've had success getting code executing.

That's all, just wanted to prove a point.

Also, cash low.. need a new job.

dark spyrit/beavuh - doin it for the cause!

Next message: Progeny Security Team: "PROGENY-SA-2001-10: Older versions of NEdit make insecure use of temp files"
Previous message: Elias Levy: "Re: Double clicking on innocent looking files may be dangerous"
Maybe in reply to: dark spyrit: "Microsoft ISA Server Vulnerability"
Next in thread: dark spyrit: "Re: Microsoft ISA Server Vulnerability"
Reply: dark spyrit: "Re: Microsoft ISA Server Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 15:36:02 PDT