[NT] NetMeeting Directory Traversal Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 07/06/03

  • Next message: SecuriTeam: "[NT] Active Directory Stack Overflow"
    To: list@securiteam.com
    Date: 6 Jul 2003 20:09:44 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      NetMeeting Directory Traversal Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    Windows NetMeeting is a popular application used to hold audio and video
    conferences between groups of people. One of its features is "File
    Transfer" which lets you send one or more files in the background during a
    NetMeeting conference.

    A directory traversal vulnerability was found in NetMeeting when doing
    File Transfers. An attacker can use filenames containing "..\..\" when
    doing a file transfer, and in this manner, create a file in any place of
    the victim's filesystem, escaping the directory where NetMeeting usually
    stores incoming files (e.g. C:\Program Files\ Received\Received Files).

    This makes it possible to force the execution of arbitrary code on
    vulnerable systems.

    DETAILS

    Vulnerable Packages:
     * NetMeeting version 3.01 (4.4.3385). Other versions may also be
    vulnerable.

    CORE has found a directory traversal vulnerability in NetMeeting when
    doing File Transfers. An attacker can use filenames containing "..\..\"
    when doing a file transfer, and in this manner, create a file in any place
    of the victim's file system, escaping the directory where NetMeeting
    usually stores incoming files (e.g.: C:\Program Files\Received\Received
    Files). An attacker cannot overwrite already existing files.
     
    A dialog box appears at the end of the file transfer, which can alert the
    user about the malicious action (the dialog box will not be automatically
    closed). However, the user is not prompted to reject or accept the file
    transfer, and since NetMeeting conferences can be shutdown by sending
    malformed packets (for example, by arbitrarily fuzzing data sent in
    packets interchanged during a chat conversation), the action can be hidden
    from the user. We're also investigating certain succession of packets that
    may prevent the dialog box from appearing at all.

    How to reproduce this vulnerability:
     
     - Start a NetMeeting conversation between two peers
     - Click on the "Transfer Files" button
     - Click on the "Add Files..." button and choose any file (e.g.:
    example_example_example.txt)
     - Attach a debugger to the NetMeeting process (conf.exe) and put a
    breakpoint on ws2_32!send (e.g.: ntsd -p <conf's pid> / bp send )
     - Click on the "Send All" button
     - The breakpoint set on ws2_32!send() will start popping up.
     - Examine the stack, and obtain the address of the buffer sent to the
    send() function, and examine its content
     - Look for the packet containing the name of the file being sent (e.g.:
    example_example_example.txt)
     - You're going to find two packets containing the filename, modify both
    packets with the debugger so that example_example_example.txt becomes
    .\..\..\xample_example.txt
     - Let the process continue both times, and let the file transfer finish.
     - Now you can go to the root directory of the drive, and you'll see the
    file sent there instead of the "Received Files" directory.
     
    Of course, a debugger is not needed to exploit the vulnerability. It is
    just a convenient way to reproduce the vulnerability.

    CORE also found that by sending malformed packets in several different
    moments during a connection, all participants or a specific participant
    can be thrown out of the conversation. This is not a big issue per se, but
    it could help to hide malicious actions as the one described above (one
    can send the file, and immediately after, make the victim's NetMeeting
    drop the connection, which will make the dialog box of the file transfer
    disappear.)

    This vulnerability allows an attacker to execute arbitrary code. For
    instance, she can upload a specially crafted DLL with the name of one of
    the DLL's used by NetMeeting into the NetMeeting directory. The next time
    NetMeeting is executed, the system will try to load these DLL's first from
    the current directory, and then from C:\winnt\system32. So the system will
    load the attacker's DLL and execute arbitrary code upon the next execution
    of NetMeeting. Another possibility is to upload an executable file into
    the startup directory of win9x. That file will be executed the next time
    the user starts Win9x.

    Solution/Vendor Information/Workaround:
    The fix for this issue is included in Windows 2000 SP4 and Windows XP SP1
    available from:

    Windows 2000 Service Pack 4
    <http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/>
    http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/

    Windows XP (Professional and Home edition) Service Pack 1
      <http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/>
    http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/

    Windows Server 2003 does not ship with a vulnerable version of NetMeeting.

    Vendors contacted:
     - Microsoft
        . Core Notification: 2003-05-21
        . Notification acknowledged by Microsoft: 2003-05-21
        . Issue fixed in Windows 2000 SP4: 2003-06-26

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10>
    http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10

    The information has been provided by <mailto:advisories@coresecurity.com>
    CORE Security Technologies Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Active Directory Stack Overflow"

    Relevant Pages