[NT] New Attack Vectors and a Vulnerability Dissection of MS03-007

From: support@securiteam.com
Date: 03/23/03

  • Next message: support@securiteam.com: "[NEWS] Check Point FW-1 DoS Attack against Syslog Daemon"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 23 Mar 2003 16:19:03 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      New Attack Vectors and a Vulnerability Dissection of MS03-007
    ------------------------------------------------------------------------

    SUMMARY

    The patch announced by Microsoft on 17 March 2003 fixed a security
    vulnerability in the core of the Windows 2000 operating system. This flaw
    was actively being exploited through WebDAV requests to Microsoft's
    Internet Information Server 5. It must be stressed that IIS was simply the
    attack vector; the method or route used to actually exploit the flaw. The
    problem, however, is much wider in scope than just simply machines running
    IIS. Researchers at NGSSoftware have isolated many more attack vectors
    including java based web servers and other non-WebDAV related issues in
    IIS. Due to this, NGSSoftware urge Windows 2000 users to apply the patch.

    DETAILS

    Vulnerability Dissection:
    As far as the IIS vector is concerned, WebDAV requests do not limit the
    length of the file name being requested. When processing a WebDAV based
    request, whether the method used is PROPFIND, LOCK, SEARCH or even GET
    with the "Translate: f" header, the request is passed through a series of
    functions, one of these being GetFileAttributesExW. Under the hood of
    GetFileAttributesExW is a call to the RtlDosPathNameToNtPathName_U
    function exported by ntdll.dll. This is where the actual vulnerability
    lies.

    RtlDosPathNameToNtPathName_U relies on unsigned shorts for string lengths.
    As unsigned shorts are 16 bits in size, they can hold a number from 0 to
    65535. If a string is 65536 bytes long, then the length of the string is
    considered as being 1 byte long - whereas in fact the string is
    considerably longer. Due to this reliance on unsigned shorts, the
    vulnerability exists. GetFileAttributesExW is not the only function that
    calls RtlDosPathNameToNtPathName_U.

    There are many:
    GetShortPathNameW
    CopyFileW
    MoveFileW
    MoveFileExW
    ReplaceFileW
    CreateMailslotW
    GetFileAttributesW
    FindFirstFileExW
    CreateFileW
    GetVolumeInformationW
    DeleteFileW
    GetDriveTypeW
    GetFileAttributesExW
    CreateDirectoryW
    FindFirstChangeNotificationW
    GetBinaryTypeW
    CreateNamedPipeW
    SetFileAttributesW
    MoveFileWithProgressW
    GetVolumeNameForVolumeMountPointW
    GetDiskFreeSpaceW
    CreateDirectoryExW
    DefineDosDeviceW
    PrivMoveFileIdentityW
    GetCompressedFileSizeW
    SetVolumeLabelW
    CreateHardLinkW
    RemoveDirectoryW

    As can be seen most of these functions deal with the file system, and for
    a piece of software to be a "suitable" attack vector an attacker must be
    able to supply an arbitrarily long string to any one of these functions.
    Then other functions in different DLL's also rely on
    RtlDosPathNameToNtPathName_U.

    These are some of the other DLLs that import this function:
    acledit.dll
    advapi32.dll
    cscdll.dll
    csrsrv.dll
    dskquoui.dll
    eventlog.dll
    gdi32.dll
    ifsutil.dll
    lsasrv.dll
    ntdll.dll
    ntmarta.dll
    ole32.dll
    perfproc.dll
    query.dll
    rshx32.dll
    scesrv.dll
    sdbapiu.dll
    setupdll.dll
    sfc.dll
    shell32.dll
    shim.dll
    srvsvc.dll
    svcpack.dll
    trkwks.dll
    ulib.dll
    wow32.dll

    Conclusion:
    Security researchers at NGSSoftware have already discovered several new
    attack vectors and believe there will be many that will become known over
    the next few weeks. There are too many ways for an attacker to "access"
    the vulnerability. Likely areas will be Non-MS Web and FTP servers, IMAP
    servers, Anti-Virus solutions and other MS Windows Services. Consequently,
    NGSSoftware believes that every Windows 2000 server or workstation should
    be patched, and patched as soon as possible - regardless of whether the
    box is running IIS or not.

    Resources:
    Microsoft Advisory:
     
    <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp

    Patch (All except Japanese NEC):
     
    <http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62EC69D32AC929B&displaylang=en> http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62EC69D32AC929B&displaylang=en

    Patch (Japanese NEC):
     
    <http://microsoft.com/downloads/details.aspx?FamilyId=FBCF9847-D3D6-4493-8DCF-9BA29263C49F&displaylang=ja> http://microsoft.com/downloads/details.aspx?FamilyId=FBCF9847-D3D6-4493-8DCF-9BA29263C49F&displaylang=ja

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:david@ngssoftware.com> David
    Litchfield.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: support@securiteam.com: "[NEWS] Check Point FW-1 DoS Attack against Syslog Daemon"