[NT] Switch Off Multiple Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 01/05/04
- Previous message: SecuriTeam: "[NT] GoodTech Telnet Server DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 5 Jan 2004 11:13:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Switch Off Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://yasoft.km.ru/eng/switchoff/> Switch Off is "a tiny easy-to-use
tray-based system utility that can automatically perform various
frequently used operations like shutdown or restart your computer,
disconnect your current dialup connection, lock workstation, etc". The
program suffers from two vulnerabilities, a denial of service attack, and
a stack based overflow.
DETAILS
Denial of Service:
It seems that sending an overly long packet of data (around 10240 bytes or
so, followed by two CrLfs) on port 8000/tcp will cause the Switch Off
application to enter an infinite loop. The faulty code lies in the
attached module 'swnet.dll'. This will enable an attacker to cause the
target system's CPU usage to climb to 100% and the application will deny
any further requests from clients.
Stack-based Buffer Overflow:
There also exists a remotely exploitable buffer overflow within code
contained in the module 'swnet.dll' which could enable an attacker to
execute arbitrary code on the remote system - possibly with SYSTEM
privileges (depending on the method of startup chosen by the
administrator).
The only major problem present is the fact that the remote attacker must
have already gained the login password from another source to be able to
cause the server to execute a specially crafted request which will trigger
the overflow, so the exploitability of this flaw is fairly limited.
While it is still possible that an administrator will not have set a
password on the server, it is highly unlikely, since it is certainly not
something that you would wish anyone to have unauthorized access to.
The overflow can be caused by supplying an overly long 'message' parameter
to the application by issuing a request similar to the following:
http://127.0.0.1:8000/action.htm?action=SendMsg&message=('a'x256)('XXXX')
If a password has been set, you will have to have logged in to the server
before issuing a malicious request to cause the overflow.
Analysis of the Vulnerable Code:
To perform this code analysis Peter had to decompress the executable
module 'swnet.dll' which is attached to 'swoff.exe' at execution time. If
you wish to follow this code breakdown for yourself, please run UPX on the
module in question before disassembling.
'upx -d swnet.dll'
The procedure (found at 10002B80) which causes the overflow is called from
10003382. The return address 10003387 is placed on the stack at the
address 0012FE40.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000331C(C)
|
:1000337C 83FF02 cmp edi, 00000002
:1000337F 750E jne 1000338F
:10003381 53 push ebx
:10003382 E8F9F7FFFF call 10002B80
:10003387 83C404 add esp, 00000004
:1000338A E9A3000000 jmp 10003432
In the procedure 10002B80, at the offset 10002FEF data is copied with no
boundaries until the ecx register reaches zero (where the ecx was the
length of our 'message', divided by the length of a dword). The ecx
register is decremented after each repetition of the 'movsd' instruction.
This unchecked copying cause the 'message' data to leak over the memory
space allocated to the buffer, and overwrite the saved return address of
the procedure being executed.
:10002FE4 2BF9 sub edi, ecx
:10002FE6 8BC1 mov eax, ecx
:10002FE8 8BF7 mov esi, edi
:10002FEA 8BFA mov edi, edx
:10002FEC C1E902 shr ecx, 02
:10002FEF F3A5 repz movsd
:10002FF1 8BC8 mov ecx, eax
:10002FF3 83E103 and ecx, 00000003
Finally, once the procedure has finished, the overwritten saved return
address is pop'ed off the stack by the 'ret' instruction at 10003256.
10003243 83C404 add esp, 00000004
:10003246 5F pop edi
:10003247 5E pop esi
:10003248 5D pop ebp
:10003249 C70101000000 mov dword ptr [ecx], 00000001
:1000324F 5B pop ebx
:10003250 81C4E4010000 add esp, 000001E4
:10003256 C3 ret
After this point we have complete control over the address at which code
execution continues, can use this to whatever malicious ends we desire!
Proof of Concept Code:
The DoS condition can be exploited by creating a file of 10240 bytes,
followed by two CrLfs (carriage return, line feed), with the file size
totaling 10244 bytes. Sending this file through netcat should cause the
server to stop responding:
perl -e "print 'a'x10240 . chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a);" >
DoS.txt
nc 127.0.0.1 8000 < DoS.txt
ADDITIONAL INFORMATION
The original advisory is available at:
<http://www.elitehaven.net/switchoff.txt>
http://www.elitehaven.net/switchoff.txt.
The information has been provided by <mailto:peter4020@hotmail.com> Peter
Winter-Smith.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] GoodTech Telnet Server DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] HP Radia Notify Daemon Multiple Buffer Overflows
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... RADEXECD process with parameters
of a greater length than the buffer used ... structures, executes the target process,
and waits for it to terminate. ... text:0040619E call _strcpy; overflow here ...
(Securiteam) - [NT] Winamp ID3v2 Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Winamp is vulnerable to a buffer
overflow vulnerability when processing ... control the EAX register, ... (Securiteam) - [NT] Multiple Vendor Insecure use of CreateProcess()
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Improper use of Windows API
command CreateProcess allows attackers to ... until a module is encountered to execute.
... This creates a scenario whereby arbitrary code could be executed. ... (Securiteam) - [NT] Windows Help Files Heap Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... EDX 0009E5D8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
... set ecx -> Top SE handler address ... set eax -> Set EAX to a pointer
to our supplied input ... (Securiteam) - [EXPL] Microsoft Color Management Buffer Overflow (MS05-036, Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... .text:73B32146 mov eax, ecx
... ESI points to 'redMatrixColumnTag' data ... "\x55" // push ebp ...
(Securiteam)
