exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AD20010501.txt

AD20010501.txt
Posted May 3, 2001
Site eeye.com

Eeye Security Advisory - Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access). Affects Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1. The vulnerability arises when a buffer of aprox. 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request. Successful attacks are not logged in the IIS access logs.

tags | remote, web, overflow
systems | windows
SHA-256 | 823ece01e6bb14f8b3fbea2b4d268322ebb462e32c5dedd81802824820639ecf

AD20010501.txt

Change Mirror Download
   Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)
Release Date:
May 01, 2001
Severity:
High (Remote SYSTEM level code execution)
Systems Affected:
Microsoft Windows 2000 Internet Information Services 5.0
Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1
Description:
A wise man once said, "When a single exploit is released, it's a good hack. When you are the
first to hack each successive version of a product run on millions of computers all over the
internet, you create a dynasty."
It seems sometimes the greatest discoveries are the ones that are the hardest to share with
the world. It's not about a lack of wanting to tell everyone, but a lack of not knowing
exactly how to put it so that people's jaws do not drop so fast that their heads snap back as
they realize just how fragile our world is becoming. We are slowly pushing society into the
digital world people only dreamed about years ago -- a world in which everything is being
connected and little is being done to shore up the large looming gaps that are in existence
in today's networked systems.
And without further ado... eEye Digital Security presents, "Remote SYSTEM level access to any
default Windows 2000 IIS 5.0 Web server."
The Discovery:
This bug was first discovered while Riley Hassell, of eEye Digital Security, was updating
Retina's CHAM (Common Hacking Attack Methods) technology to look for unknown vulnerabilities
within some of the new features that Windows 2000 IIS 5.0 provides. One of the features that
was added to be audited by CHAM was the .printer ISAPI filter extension. Once the .printer
ISAPI filter was added to the list of ISAPI's to audit, as well as various aspects of the new
Web DAV functionality within IIS, the latest Retina development code was let loose against a
test server in our lab. Within a matter of minutes, a debugger kicked in on inetinfo.exe
because of a "buffer overflow error."
The Explanation:
It turns out the latest development code of Retina was able to find a buffer overflow within
the .printer ISAPI filter (C:\WINNT\System32\msw3prt.dll) which provides Windows 2000 with
support for the Internet Printing Protocol (IPP) which allows for the Web based control of
various aspects of networked printers.
The vulnerability arises when a buffer of aprox. 420 bytes is sent within the HTTP Host:
header for a .printer ISAPI request.
Example:
GET /NULL.printer HTTP/1.0
Host: [buffer]
Where [buffer] is aprox. 420 characters.
At this point an attacker has sucessfully caused a buffer overflow within IIS and has
overwritten EIP. Now normally the Web server would stop responding once you have "buffer
overflowed" it. However, Windows 2000 will automatically restart the Web server if it notices
that the Web server has crashed. While the feature is nice to help create a longer period of
"up time", it is actually a feature that makes it easier for remote attacks to execute code
against Windows 2000 IIS 5.0 Web servers.
As we stated earlier, our overflow is able to overwrite the EIP register with whatever we
want. That basically means we can overwrite EIP with a location in memory that jumps to our
"exploit" code, in memory, and then executes our code with SYSTEM level access.
The Exploit:
Ryan Permeh, resident shellcode ninja of eEye Digital Security, has created an example
exploit to be used as a "proof-of-concept". Our proof-of-concept exploit will, when run
against an IIS 5 Web server, create a text document on the remote server with instructions
directing readers to a Web page on eeye.com that has information on how to patch the system
so that the Web server is no longer vulnerable to this flaw. This exploit is to only be
considered a proof-of-concept exploit and anyone with Windows 2000 should install the
Microsoft supplied patch ASAP.
Proof of concept exploit:
http://www.eeye.com/html/research/Advisories/iishack2000.c
This exploit will simply create a file in the root of drive c:\ with instructions on how to
patch your vulnerable server. If you are running Windows 2000 then please install the
Microsoft security patch and do not depend on this exploit as being a tool to test whether
your vulnerable or not because if you have not installed the patch then you are most likely
vulnerable.
We would like to note that eEye Digital Security did provide Microsoft with a working
exploit. This exploit, when ran against a Web server, will bind a cmd.exe command prompt to
an IIS remote port within seconds. This allows a remote attacker to execute commands with
SYSTEM level access and thereby have full control over the vulnerable machine.
The Log:
Actually there is no log because this vulnerability, like most IIS buffer overflows, does not
get logged. That means some of the largest Web servers on the Internet running Windows 2000
are vulnerable to this attack and when exploited, there will be no IIS log anywhere that
records the attack.
The Fallout:
As with our first remote SYSTEM level exploit for IIS 4.0 two years ago, the fallout from
this second IIS remote overflow is also rather large. Once again it does not matter what kind
of security systems you have in place, Firewalls, IDS's, etc., because all of these systems
can be bypassed and your Web server CAN be broken into via this vulnerability. To quote our
last advisory: "Even a server that's locked in a guarded room behind a Cisco Pix can be
broken into with this hole. This is a reminder to all software vendors that testing for
common security holes in your software is a must. Demand more from your software vendors."
There are millions of Windows 2000 Web servers on the Internet right now that are wide open
to this vulnerability.
The Magic:
About two weeks ago eEye Digital Security released, SecureIIS which stops both known and
unknown IIS Web server vulnerabilities. Our SecureIIS code base from about 4 weeks ago
actually stopped this latest IIS 5.0 buffer overflow vulnerability without actually knowing
anything about it. It is this power to stop both known and unknown vulnerabilities that sets
SecureIIS apart from every other security product in the market. Visit
http://www.eeye.com/SecureIIS to learn more about this ground-breaking product.
Vendor Status:
We would like to thank Microsoft for working hard with us to create a patch for this
vulnerability.
You can download the Microsoft supplied patch from:
http://www.microsoft.com/technet/security/bulletin/ms01-023.asp
Also eEye Digital Security recommends removing the .printer ISAPI filter from your Web server
if it does not provide your Web server with any _needed_ functionality.
Credit:
Discovery: Riley Hassell
Exploit: Ryan Permeh
Related Links:
Retina - The Network Security Scanner.
http://www.eeye.com/Retina
SecureIIS - HTTP Application Firewall
http://www.eeye.com/SecureIIS
Greetings:
ADM, KAM, Lamagra, Zen-parse, Barns, Angelina Jolie, Roland Postle, Attrition.
Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to reprint the whole or
any part of this alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information
constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to
this information. In no event shall the author be liable for any damages whatsoever arising
out of or in connection with the use or spread of this information. Any use of this
information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close