[PEN-TEST] Windows 2000 .printer remote overflow proof of concept exploit

From: Marc Maiffret (marcat_private)
Date: Wed May 02 2001 - 12:54:48 PDT

Next message: stevephelpsat_private: "Re: [PEN-TEST] wireless LAN traffic sniffing"

Previous message: Torgeir Hansen: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We have updated our advisory
(http://www.eeye.com/html/Research/Advisories/AD20010501.html) to link to a
proof of concept exploit for our Windows 2000 .printer ISAPI overflow
vulnerability. The proof of concept code, when run against a vulnerable
Win2k system, will create a file called www.eEye.com.txt on the root of
drive c.

If you have a Windows 2000 web server then please install the Microsoft
security patch ASAP. This proof of concept exploit is not to be used as a
method of testing to see if your vulnerable or not. It has been published as
a way to learn more about what is going on with specific technical details
pertaining to this flaw. If you have not installed the Microsoft security
patch then you are most likely vulnerable and need to patch your system
ASAP.

As a side note... eEye Digital Security was contacted by a few of the rather
lage IDS vendors yesterday looking to get a copy of the example exploit so
that they could create a signature for their IDS. Instead of replying to
each of them individualy we thought we would do so here and that way other
IDS vendors will have the "heads up."

Creating an IDS signature that looks for a request of GET /NULL.printer
HTTP/1.0\nHost: eeyeoverflowstring\n\n is not going to really do much for
you. While you might catch our specific example exploit you will miss any
other exploits that have been developed and are "in the wild." In order to
correctly monitor for people launching attacks against the .printer ISAPI
filter you should be looking for any get requests of .printer and a large
(you'll have to track down the buffer range yourself, around 420) Host:
header. That is one of the ways that SecureIIS is able to generically stop
the attack (simply speaking of course).

Anyways, have fun reading and learning from the example exploit. Ryan Permeh
(ryanat_private) has done a great job with it.

Also... There has been some talk on various mailing lists about methods of
detecting if the .printer ISAPI filter is installed on a remote server. Now
some people suggested opening IE and then typing in
http://www.example.com/anything.printer which should then return an error
like "Error in web printer install." However by default IE shows "friendly"
HTTP error messages and is not going to show you the ISAPI error message. So
either turn off friendly HTTP error messages or use telnet (recommended).

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Web Application Firewall

Next message: stevephelpsat_private: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Previous message: Torgeir Hansen: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 02 2001 - 13:05:56 PDT