[NT] Microsoft IIS ssinc.dll Buffer Overflow Vulnerability
From: support@securiteam.comDate: 08/18/01
- Previous message: support@securiteam.com: "[EXPL] Exploit Code Released For the Apache Server Address Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Microsoft IIS ssinc.dll Buffer Overflow Vulnerability Message-Id: <20010818152507.AC193138BF@mail.der-keiler.de> Date: Sat, 18 Aug 2001 17:25:07 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Microsoft IIS ssinc.dll Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
A security vulnerability in Microsoft IIS 'Server Side Includes' has been
found. The vulnerability allows attackers to cause the IIS server to
execute arbitrary code, and gain elevated privileges.
Note that in order to exploit this vulnerability the attacker would need
the ability to upload files to the IIS server (this is not enabled by
default to unauthenticated users).
DETAILS
Vulnerable systems:
* Microsoft IIS 4.0
* Microsoft IIS 5.0
Impact:
The NSFOCUS Security Team has found a buffer overflow vulnerability in a
dynamic link library (ssinc.dll) of Microsoft IIS 4.0/5.0 when processing
server side include files. Exploitation of it may enable attackers to
obtain SYSTEM privilege.
Microsoft IIS supports SSI (Server Side Include) function. IIS uses
ssinc.dll as an SSI interpreter. By default setting, extensions like .stm,
shtm and .shtml would be mapped to interpreter process (Ssinc.dll).
SSI supports "#include" directive, mostly in this form:
<!--#include file="Filename"-->
When processing "#include" directive, ssinc.dll would check for the name
of the directory under which the .shtml file resides, append it before the
include file and form a new path string.
Example:
Create a file named "test.shtml" with the following content and save it
under "wwwroot/abcd/":
<!--#include file="ABCD"-->
The new path string would be "/abcd/ABCD". Ssinc.dll would copy it to a
buffer of 0x804(2052) bytes.
When obtaining Server-side include filename from test.shtml, ssinc.dll
would perform length check for it. In case that it is longer than 0x801
bytes, ssinc.dll would cut it to 0x801 bytes and append '\0' at the end.
Thus, the include filename (including the trailing '\0') won't be longer
than 0x802(2550) bytes.
However, it does not check the length of the new path string appending
current directory name. Thus, if we set the contained filename to be a
string longer than 0x801 bytes and save "test.shtml" under a directory
(name of which is longer than 9 bytes), a buffer overflow would occur and
overwrite the EBP and EIP saved in stack completely (The trailing '\0'
would overwrite the first argument).
As ssinc.dll is running in LOCAL SYSTEM context, if an attacker carefully
forms the overflow data, she might change the procedure flow and run
arbitrary code with SYSTEM privilege.
To launch an attack, the attacker would need the following two conditions:
1. Privilege to create file or directory under Web directory.
2. Ability to access created file through Web service.
Exploit:
1. Create a file "test.shtml" with following file content:
<!--#include file="AAAA[...]AA"-->
Number of 'A' should be over 2049.
2. Create a directory "a" under Web directory. Copy "test.shtml" to "a"
directory.
3. Request "test.shtml" through web browser: http://webhost/a/test.shtml
4. IIS would return a blank page that indicates that an overflow has
occurred. Meanwhile the trailing '\0' has overwritten the last byte of
saved EBP.
On the contrary, in case that the contained file has a shorter name like
'AA', IIS would return a SSI file '/a/AA' error message when receiving the
request.
Workaround:
1. Disable the write access to Web directory of untrusted user.
2. Remove .shtml, .shtm and .stm mappings if SSI service is not needed.
Vendor status:
2001.6.11 NSFocus informed Microsoft of this vulnerability.
2001.6.11 Microsoft replied that the bug has been reproduced.
2001.8.15 Microsoft has released one security bulletin(MS01-044)
concerning this flaw.
The bulletin is live at:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
Patches are available at:
* Microsoft IIS 4.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061
* Microsoft IIS 5.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@nsfocus.com>
Nsfocus Security Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] Exploit Code Released For the Apache Server Address Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
