exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sa2001_06.txt

sa2001_06.txt
Posted Aug 19, 2001
Site nsfocus.com

NSFOCUS Security Advisory SA2001-06 - A buffer overflow vulnerability has been found in ssinc.dll which is triggered when Microsoft IIS 4.0/5.0 when processes server side include files. An attacker could obtain SYSTEM privilege if he can save html on the server. Discussed in ms01-046.

tags | exploit, overflow
SHA-256 | 7b2deeebed5062a304ab98f09b24bf0ddac48ccb7244b9f0b55d3767555c67b4

sa2001_06.txt

Change Mirror Download
NSFOCUS Security Advisory(SA2001-06)

Topic: Microsoft IIS ssinc.dll Buffer Overflow Vulnerability

Release Date£º 2001-08-17

CVE CAN ID : CAN-2001-0506
BUGTRAQ ID : 3190

Affected system:
================

- Microsoft IIS 4.0
- Microsoft IIS 5.0

Impact:
=========

NSFOCUS Security Team has found a buffer overflow vulnerability in a dynamic
link library (ssinc.dll) of Microsoft IIS 4.0/5.0 when processing server side
include files. Exploitation of it, an attacker could obtain SYSTEM privilege.

Description£º
============

Microsoft IIS supports SSI (Server Side Include) function. IIS use ssinc.dll as
a SSI interpreter. By default setting, extensions like .stm, .shtm and .shtml
would be mapped to interpreter process (Ssinc.dll).

SSI supports "#include" directive, mostly in this form:

<!--#include file="Filename"-->

When processing "#include" directive, ssinc.dll would check for the name of
the directory under which the .shtml file resides, append it before the
include file and form a new path string.

For example:

Create a file named "test.shtml" with the following content and save it under
"wwwroot/abcd/":

<!--#include file="ABCD"-->

The new path string would be "/abcd/ABCD". Ssinc.dll would copy it to a
buffer of 0x804(2052) bytes.

When obtaining Server-side include filename from test.shtml, ssinc.dll would
perform length check for it. In case that it is longer than 0x801 bytes,
ssinc.dll would cut it to 0x801 bytes and append '\0' at the end. Thus, the
include filename (including the trailing '\0') won't be longer than 0x802(2550)
bytes.

But it does not check the length of the new path string appending current
directory name. Thus, if we set the contained filename to be a string
longer than 0x801 bytes and save "test.shtml" under a directory (name of which
is longer than 9 bytes), a buffer overflow would occur and overwrite the EBP
and EIP saved in stack completely (The trailing '\0' would overwrite the first
argument).

As ssinc.dll is running in LOCAL SYSTEM context, in case that an attacker
carefully form the overflow data, he might change the procedure flow and run
arbitrary code with SYSTEM privilege.

To launch an attack, the attacker would need the following two conditions:

1. Privilege to create file or directory under Web directory.
2. Ability to access created file through Web service.


Exploit:
==========

1. Create a file "test.shtml" with following file content:

<!--#include file="AAAA[...]AA"-->

Number of 'A' should be over 2049.

2. Create a directory "a" under Web directory.
Copy "test.shtml" to "a" directory.

3. Request "test.shtml" through web browser:
http://webhost/a/test.shtml

4. IIS would return a blank page which indicates that an overflow has occurred.
Meanwhile the trailing '\0' has overwritten the last byte of saved EBP.

On the contrary, in case that the contained file has a shorter name like
'AA', IIS would return a SSI file '/a/AA' error message when receiving
the request.



Workaround:
===================

1. Disable the write access to Web directory of untrusted user.
2. Remove .shtml, .shtm and .stm mappings if SSI service is not needed.

Vendor Status:
==============

2001.6.11 We informed Microsoft of this vulnerability.
2001.6.11 Microsoft replied that the bug has been reproduced.
2001.8.15 Microsoft has released one security bulletin(MS01-044) concerning
this flaw.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Patches are available at:

. Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061

. Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0506 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close