Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

IPP +SMB FTW

From: Dave Aitel <dave () immunityinc com>
Date: Fri, 17 Oct 2008 11:42:42 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some thoughts on the IPP vulnerability follow.

C.F. http://www.kb.cert.org/vuls/id/793233 as quoted below.
"""
IPP <http://msdn.microsoft.com/en-us/library/ms817904.aspx> is an
IP-based network protocol that allows remote printing and printer
management. On Windows 2000 and XP, IIS comes with IPP enabled by
default. IPP is optional on Windows 2003 systems. IPP by default is
configured to only allow authenticated users, however it may be
configured to allow unauthenticated connections.

The Microsoft Windows IPP component, which is provided by msw3prt.dll,
contains an integer overflow vulnerability, which results in an
overflow of heap memory. By creating a specific HTTP POST to the
vulnerable server, the IPP server will attempt to connect to a printer
that is specified by the attacker. If this printer returns a malformed
JOB_INFO_2
<http://msdn.microsoft.com/en-us/library/ms535671%28VS.85%29.aspx>
structure, the integer overflow vulnerability in IPP may be triggered,
resulting in a four-byte memory overwrite, and eventually code
execution on the IPP server.

This vulnerability is being exploited in the wild.

"""

So one thing that's interesting to see that the CERT note on this is
the most informative of all the public notes. I still have a lot of
questions though, even after Kostya wrote up the POC for CANVAS. (Both
this bug and the SMB overflow are here:
http://www.immunityinc.com/ceu-index.shtml)

1. What platforms were being exploited in the wild? Was it the "easy
heap overflows" Windows 2000? Or the "Not easy and not default Windows
2003 and 2008".  Was it XP SP2/3 on IIS 5.1?
2. Did some target have IPP set up as Non-Authenticated access?
3. How would you discover something like this in the wild considering
that you can do HTTPS and possibly SEALED SMB/RPC?

4. How did the attackers find this?
5. Is there a complexity limit for data flow and control flow after
which automated static analysis will fail but humans will succeed?

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI+LJytehAhL0gheoRAgDwAJ9Pzmm8JvnAxbKT3hM2N34gdGDHXwCfb/TC
JxS/RdpZ/gzd4b0Igd8XJqk=
=RJwy
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: