Vulnerability Development mailing list archives
Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
From: Markus Kern <markus-kern () gmx net>
Date: Wed, 05 Sep 2001 18:31:52 +0200
DerHexXer () gmx net wrote:
@Markus Kern: Thank you for sharing this great piece of code ... ... it actually is a great solution (a much better one than mine) for the problem i was addressing.
umm, thanks :) I'd like to have your knowledge of assembler though...
Let me resume what your code does: Host [A] is compromised by CodeRedI/II. Host [B] has your CRclean.dll isapi-filter installed (either installed by user or automated). Host [A] sends out exploit plus CodeRed to random addresses and hits Host [B]. Host [B] counters this infection attempt by sending it's own exploit (CRclean.asm). * Host [A] downloads CRclean.dll from Host [B] * Host [A] executes CRclean.dll via rundll32 (func 'run') with system privileges. This is what happens then: (we are now in func 'run' from CRclean.dll.) * determines OS version * load needed dlls * download and apply patch (determine lang, dl patch, execute it, terminate hotfix.exe, cleanup tempdir) * remove CRII (delete explorer.exe, remove root.exe, reenable fileprotection, cleanup registry [mapping backdoors]) * add CRclean.dll isapi-filter (registry) * restart iis (iisrestart.exe /restart /timeout:30) After new filter is installed, Host [A] will join the fight against CodeRed.
That's exactly how it works.
Again ... this is a great solution, but I think that there are several problems in your code: a) rundll32 is called with system privileges. I had some problems while accessing the registry with system privileges. It might be possible that CRclean is not able to install itself as a new filter.
I tested the worm on a box with the German version of Windows 2000 Server and didn't encounter any problems with registry access.
b) If on Host [A] one of the CRII explorer.exe backdoors is running, this file can't be deleted (and can't be terminated via TerminateProcess [GetLastError: 5 (access denied)]).
The explorer.exe backdoor is started by the next user who logs in, most likely that's the administrator so it runs with admin priviledges. The DLL runs with system priviledges since it's spawned by IIS. The DLL first calls FindProcess() which retrieves a list of running processes and searches this list for processes with an executable path of "c:\explorer.exe" and "d:\explorer.exe". The handle returned by FindProcess() is opened with PROCESS_TERMINATE access and is used in a call to TerminateProcess(). The file attributes are then set to FILE_ATTRIBUTE_NORMAL so it can be deleted using DeleteFile(); Again this worked absolutely fine when I tested it.
The main problem (isapi-filter bufferoverrun vulnerability) is solved,
To make this clear for all, CRclean is not designed to prevent exploit code from reaching idq.dll. The filtering in HttpFilterProc() is easily circumvented by hex-encoding the request. It's purpose is only to *detect* *CodeRed* intrusion attempts. That basically means that when the patch installation fails for some reason you're still vulnerable to non-CodeRed exploits using the same bug.
but there still remain the backdoors CRII injected on many systems. You should test your code under "in-the-wild" conditions.
Well, I'm a poor student and don't have the resources to set up a lab with dozens of differently configured systems... And "testing in the wild" doesn't sound like a good idea to me ;)
@Stanley Bubrouski:
Huh? Did I miss something here? I don't know who Stanley Bubrouski is so I won't comment anything here. <snip: Der HexXer's responses to Stanley Bubrouski> regards, Markus Kern
Current thread:
- CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Herbert HexXer (Sep 01)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 01)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Stanley G. Bubrouski (Sep 05)
- <Possible follow-ups>
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Paige, Randall (Sep 04)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 04)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) DerHexXer (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Meritt James (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Blue Boar (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Blue Boar (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Stanley G. Bubrouski (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Blue Boar (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Jonathan Rickman (Sep 05)
- CodeGreen free? // Re: Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Steinhart Alexander (Sep 07)
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) t. patrick o'hara (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Blue Boar (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 06)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 05)