Re: IIS + M$ Proxy II

[H D Moore <hdm () SECUREAUSTIN COM>]

The newdsn.exe ships with the MDAC/RDS components of IIS 4.0.  This program
allows creation of Access databases on the hard drive of the web server.
RFP's msadc.pl uses the RDS component (/msadc/msadcs.dll) to send a SQL query
to a database, containing a VBA command sequence, which the Jet DB engine
then interprets.  The VBA shell() command spawns whatever program you give as
its parameter, so RFP uses that to execute cmd.exe in his script.

As I mentioned above, the exploit uses a SQL query to launch commands.  To
run a query, you must first have a database to run the query from.  The
msadc.pl script first checks for a set of common database locations and
system DSNs, then if that fails it tries to create a new one using
newdsn.exe.  Without the corresponding msadcs.dll, the newdsn.exe program
only allows the creation of arbitrary Access databases on the web server's
disk.

The msadc.pl script is giving you an error because it is unable to access the
RDS component located at /msadc/msadcs.dll.  Try pointing your browser to
http://thehost/msadc/readme.txt and see if the file exists.  If the file does
exist, make sure that it shows version 1.5 at the top, otherwise they are
running a new version of MDAC which isnt vulnerable.

There are actually a _ton_ of cool things you can do through RDS. Even if the
Jet ODBC driver has been upgraded, you can use the RDS component to relay
exploits/SQL to other hosts on the same network, port scan hosts on the
internal network, read data from arbitrary files, and much, much more.  I
will be covering some of these techniques during my presentation at
CanSecWest (www.dursec.com), I encourage anyone who would like to know more
about compromising NT web server to attend.

You can get more info about the msadc/RDS problem at RFP's web site:

http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=7


-HD

http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)
http://www.dursec.com (conf)




On Wednesday 07 March 2001 01:29 pm, sekure wrote:
> Hi all,
>
> I'm doing "security-tests" in a windows NT 4.0 + SP6 + IIS 4.0 + M$ Proxy
> II + SP1!!! :)
> We know that M$ proxy server need of IIS to run...
> I saw that is not blocking request of internet to IIS!! :)
> Then i try... various IIS bugs .... i use any scanner securitys how
> (Cerberus, Retina, messala, DCS, twwwscan ...!!
> And i only can detect this file: xxx.xxx.xxx.xxx/scripts/tools/newdsn.exe i
> remember that was used in msadc.pl correct ?? But it didn't is
> vulnerability to MSADC !!! But this file exist.... ! ;)
> And i try run msadc.pl in the server ... and it not running very well... it
> show me that
> "Duh! server is not running IIS" (And msadc is wrong, because it running
> IIS4).
> Then i found... on www.securityfocus.com and bugtraq about
> "scripts/tools/newdsn.exe"  how to explit, and if can run arbitraty
> commands...
> I saw a example there of this context:
> xxx.xxx.xxx.xxx/scripts/tools/newdsn.exe?c=Microsoft\%2B"."Access\%2BDRIVER
> \ %2B\%28*.mdb\%29\&dsn=wicca\&dbq="
> But it not work...it test ... and it stay wait mode for several minutes....
> and when it back show me: CGI Error
> The specified CGI application misbehaved by not returning a complete set of
> HTTP headers. The headers it did return are:
>
> It is "syntaxe" correct ?? How can i use it with a cmd.exe to run arbitraty
> commands ??
> And this name of .mdb is default ?? That file.is mdb always the same? in
> case it is not, how to discover? And user/password is default ??
> I'm findimg it on web... but if you can help me!! :)
> And about M$ proxy 2 + sp1 ... i found on web ... and i can percept that
> this is very security correct ?? Somebody know any buffer overflow in M$
> proxy with righ risk ??
>
> Thkz for the feature. :)
> Best Regards,
> [ ]'s