execution by WriteToFile? (was Re: New mediaservices sploit)

[Max Vision <vision () whitehats com>]

Hi,

I don't have a solution for you sorry, but a few ideas, and please forgive
me for not having tested them before posting. :)

Overwrite drwatson and then overwrite something else that will cause a
crash, thus spawning your code?  Overwrite the backup of a system file in
dllcache, and then clobber the active one, and let windows file protection
spring in to "restore" the file you planted in dllcache.. some system file
that gets run periodically on a server?  dlls?  And what of the
application itself?  Can you clobber tree.xms?  What about the libraries
it's using that contain http:WriteToFile, etc?  Maybe you do have
something akin to cgi there... drop a tree2.xms that does something else
(I don't know what abilities are available in xms, actually I don't even
know what that is.. xml related? Is this a publicly available product?
neocore? hp?)  Is xms the only extension that has a handler in that
install of apache?  What happens if there is an exe, pl, com, bat, pif,
scr, etc in the same dir and gets accessed? (i guess thats the same
question twice)  Is /plugins/framework/script/tree.xms a file sitting
there, or is that some virtual reference inside a jar file or something?

As for the general puzzle you are asking about, aren't there services or
processes that dynamically load dll's as needed, or that only get run at
certain times (preferably in reaction to you writing a file somewhere on
the filesystem)?  Running filemon.exe for a few minutes on a server shows
all kinds of read activity by csrss.exe, svchost.exe etc..
c:\winnt\tasks looks fertile, but I guess you have already looked at both
the Task Scheduler and AT apis?  What was that bit about "now that
signatures are embedded" I'm not familiar with it - does that mean there
is an old and new job format - if so maybe there is some way to force
usage of the old style?  I have heard of so many cases of remote
administration where the admin will copy a .job file across to many
machines - there must be some way for this to work.  !!  Is that a win2k3
problem you are referring to?  I know a little about the .job files, but
don't know where the AT jobs are stored.. I created an AT job and there
weren't any changes or additions to the filesystem or registry to match
it.  (I suppose a bit of reading would help me there)  WMI stuff?  Maybe
dropping a .cpl file would cause it to be automatically read/processed?
(looks like no)  Or some other file - fonts?  Drop a new font and this
causes some exe to run (that could have been clobbered)?  (looks like no)
ok I'm stretching.  Let you know if I find something.  Good puzzle.

:)
Max

> Bonus points to anyone who can find a better way to exploit the unnamed
> bug^H^H^Hfeature below, without being dependent on an alternate web
> service or third-party software. The goal is instant command execution
> through writing a file to the system with arbitrary (even binary)
> contents. Writing to autoexec, startup, etc doesn't work since it
> requires user interaction. Assuming Windows 2000 or newer. Writing ".job"
> files to \winnt\tasks doesn't work now that signatures are embedded
> (thanks Brett for info).
>
> GET /plugins/framework/script/tree.xms?obj=httpd:WriteToFile
> ([$__installdir$]conf/portlisten.conf,Listen%208000%0A%0DAccessLog
> %20"|../../../../../../winnt/system32/cmd.exe%20/c%20
> net%20user%20P%20P%20/ADD"%0A%0D HTTP/1.0

...

> It is a stripped down Apache2 install, no mod_cgi, no mod_ssi. Assume the
> system is firewalled both ways and there are no third-party or
> system-installed web services (besides this one). The NTLM hijack is
> simple, but there are a dozen other ways to do it, I was wondering if
> anyone knew how to execute a command simply by writing a file to the OS
> somewhere. I beat my head against it off and on for a couple months, was
> wondering if anyone had some r33t tknqz  to share :)


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave