Home page logo
/

bugtraq logo Bugtraq mailing list archives

Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)
From: Marc Maiffret <marc () EEYE COM>
Date: Tue, 1 May 2001 13:15:10 -0700

Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM
Level Access)

Release Date:
May 01, 2001

Severity:
High (Remote SYSTEM level code execution)

Systems Affected:
Microsoft Windows 2000 Internet Information Services 5.0
Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1

Description:
A wise man once said, "When a single exploit is released, it's a good hack.
When you are the first to hack each successive version of a product run on
millions of computers all over the internet, you create a dynasty."

It seems sometimes the greatest discoveries are the ones that are the
hardest to share with the world. Its not about a lack of wanting to tell
everyone but a lack of not knowing exactly how to put it so that peoples
jaws do not drop so fast that their head snaps back as they realize just how
fragile our world is becoming as we slowly push society into the digital
world people only dreamed about years ago. A world in which everything is
being connected and little is being done to shore up the large looming gaps
that are in existance in todays networked systems.

And without further ado... eEye Digital Security Presents, "Remote SYSTEM
level Access to any default Windows 2000 IIS 5.0 web server."

The Discovery:
This bug was first discovered while Riley Hassel, of eEye Digital Security,
was updating Retina's CHAM (Common Hacking Attack Methods) techonology to
look for unknown vulnerabilities within some of the new features that
Windows 2000 IIS 5.0 provides. One of the features that was added to be
audited by CHAM was the .printer ISAPI filter extension. Once the .printer
ISAPI filter was added to the list of ISAPI's to audit, as well as various
aspects of the new Web DAV functionality within IIS, the latest Retina
development code was let loose against a test server in our lab. Within a
matter of minutes a debugger kicked in on inetinfo.exe because of a "buffer
overflow error."

The Explanation:
It turns out the latest development code of Retina was able to find a buffer
overflow within the .printer ISAPI filter (C:\WINNT\System32\msw3prt.dll)
which provides Windows 2000 with support for the Internet Printing Protocol
(IPP) which allows for the web based control of various aspects of networked
printers.

The vulnerability arises when a buffer of aprox. 420 bytes is sent within
the HTTP Host: header for a .printer ISAPI request.

Example:
GET /NULL.printer HTTP/1.0
Host: [buffer]

Where [buffer] is aprox. 420 characters.

At this point an attacker has sucessfully caused a buffer overflow within
IIS and has overwritten EIP. Now normally the web server would stop
responding once you have "buffer overflowed" it. However, Windows 2000 will
automatically restart the web server if it notices that the web server has
crashed. While the feature is nice to help create a longer period of "up
time" it is actually a feature that makes it easier for remote attacks to
execute code against Windows 2000 IIS 5.0 web servers.

As we stated earlier our overflow is able to overwrite the EIP register with
whatever we want. That basically means we can overwrite EIP with a location
in memory that jumps to our "exploit" code, in memory, and then executes our
code with SYSTEM level access.

The Exploit:
Ryan Permeh, resident shellcode ninja, of eEye Digital Security has created
an example exploit to be used as a "proof of concept." Our proof of concept
exploit will, when run against an IIS 5 web server, create a text document
on the remote server with instructions directing readers to a webpage on
eeye.com that has information on how to patch the system so that the web
server is no longer vulnerable to this flaw. This exploit is to only be
considered a proof of concept exploit and any one with Windows 2000 should
install the Microsoft supplied patch ASAP.

Check back to our website later today as we posted a link to our proof of
concept code.

We would like to note that eEye Digital Security did provide Microsoft with
a working example exploit that when ran against a web server would, in a
matter of a few seconds, bind a cmd.exe command prompt to a port on a remote
IIS 5.0 web server so that a remote attacker could then execute commands
with SYSTEM level access and therefore have full control of the vulnerable
machine.

The Log:
Actually there is no log because this vulnerability, like most IIS buffer
overflows, does not go logged. That means some of the largest web servers on
the Internet running Windows 2000 are vulnerable to this attack and when
exploited, there will be no IIS log anywhere that records the attack.

The Fallout:
As with our first remote SYSTEM level exploit for IIS 4.0 2 years ago, the
fallout from this second IIS remote overflow is also rather large. Once
again it does not matter what kind of security systems you have in place,
Firewalls, IDS's, etc.. because all of those systems can be bypassed and
your web server CAN be broken into via this vulnerability. To quote our last
advisory "Even a server that's locked in a guarded room behind a Cisco Pix
can be broken into with this hole. This is a reminder to all software
vendors that testing for common security holes in your software is a must.
Demand more from your software vendors." There are millions of Windows 2000
web servers on the Internet right now that are wide open to this
vulnerability.

The Magic:
About two weeks ago eEye Digital Security released, SecureIIS which stops
both known and unknown IIS web server vulnerabilities. Our SecureIIS code
base from about 4 weeks ago actually stopped this latest IIS 5.0 buffer
overflow vulnerability without actually knowing anything about it. It is
this power to stop both known and unknown vulnerabilities that sets
SecureIIS apart from every other security product in the market. Visit
http://www.eeye.com/SecureIIS to learn more about this ground breaking
product.

Vendor Status:
We would like to thank Microsoft for working hard with us to create a patch
for this vulnerability.
You can download the Microsoft supplied patch from:
http://www.microsoft.com/technet/security/bulletin/ms01-023.asp
Also eEye Digital Security recommends removing the .printer ISAPI filter
from your web server if it does not provide your web server with any
_needed_ functionality.

Credit:
Discovery, Riley Hassel
Exploit, Ryan Permeh

Online Advisory:
We suggest checking back to this url over the next few days as we update the
information within it.
http://www.eeye.com/html/Research/Advisories/AD20010501.html

Related Links:
Retina - The Network Security Scanner.
http://www.eeye.com/Retina

SecureIIS - HTTP Application Firewall.
http://www.eeye.com/SecureIIS

Greetings:
ADM, KAM, Lamagra, Zen-parse, Barns, Angelina Jolie, Roland Postle,
Attrition.

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert () eEye com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info () eEye com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]