COMMAND
IIS
SYSTEMS AFFECTED
IIS 4
PROBLEM
Marc Maiffret found following. There exists a buffer overflow,
that can be exploited to gain SYSTEM level access, within the IIS
(Internet Information Server) .ASP ISAPI file parsing mechanism.
This is not a remote exploit, it is a local one (However, we will
explain later in the advisory how you _could_ pull this exploit
off remotely.). It is local in the sense that you need to
actually create an "evil" .asp file that when parsed by IIS will
cause inetinfo.exe to buffer overflow and therefore allow you to
take control of the local server as SYSTEM.
So who is affected by this? Any web hosting company or internet
service provider that is running multiple clients within the same
NT4 IIS 4 web server. Basically any client (or attacker) who can
update their website, i.e. upload a new default.asp or
anything.asp, can then execute code as SYSTEM and therefore take
complete control of your server. They could then do whatever
they want to any of the other client websites hosted on that NT4
server. On the other hand they could install sniffers or crack
passwords to further their control of your network.
Anyone with $20 dollars to spend can potentially break into any
web hosting company or internet service provider running NT4+IIS4.
Simply buy an account with a web hosting company, upload your
evil.asp and request that evil.asp from your website, I.E.
http://www.badguy.com/evil.asp
and your executing code on that server as SYSTEM.
Here is an example .asp file that will cause NT4+IIS4's
inetinfo.exe to overflow.
<SCRIPT LANGUAGE="[buffer]" RUNAT="Server">
</SCRIPT>
Where [buffer] is 2220 characters or more. Yes, this overflow is
exploitable. See section below.
So you don't have $20 dollars to spend, or a server does not host
websites? What then? Well there are going to be situations when
a remote attack is possible.
An example situation would be a server that has a guest
book/message board system that does not strip out SCRIPT comments
when it writes to its returned .asp file. So an attacker could go
to a web board and within the "Enter your message here:" box (or
whatever) they could simply paste in the contents of the script
language overflow and submit the message. Then once they
requested the .asp file that has that message (the embedded
overflow msg) it would cause IIS to parse that .asp file,
overflow, and execute their code.
On another note you could couple this attack with the recent IIS
Unicode bug to use cmd.exe to echo the contents of your evil.asp
to the remote system then when you request evil.asp your code is
executed as SYSTEM. In fact, we have created a sample exploit to
show how this .asp language overflow and the IIS Unicode exploit
could be used together to remotely compromise any NT4+IIS4+SP6
(or lower) system that is behind in installing hot fixes.
Due to the nature of this attack it is likely and quite possible
that firewalls will not protect you against attacks like this.
How to remotely exploit a system? Use the IIS Unicode exploit +
.asp language overflow. For those of you not familiar with the
IIS Unicode exploit, it basically allows you to remotely execute
commands against IIS as IUSR_MACHINE. Now since we can execute
commands via cmd.exe we could try to make the remote web server
connect out to an FTP server to grab a file (sort of like the
first IISHack) but you would still be executing code as
IUSR_MACHINE. The way our exploit works is by using the Unicode
bug to echo our .asp file (complete with shell code, to bind
cmd.exe to a port) to a remote server and then request that .asp
file which then causes inetinfo.exe to overflow resulting in a
SYSTEM privileged cmd.exe to be bound to a specified port. Now,
in most circumstances you should have correct acl's on cmd.exe
(that would not allow IUSR_MACHINE to touch it) as well as some
other security precautions in place, so we understand this exploit
will not work on a secured system. However, this is just proof of
concept and as most of us know, most IIS servers do not have
proper local security in place. The exploit basically looks like
the following when compiled:
C:\we are still hiring good programmers> iishack1.5.exe
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.
Usage: IISHack1.5 [server] [server-port] [trojan-port]
C:\send resume to hire@eeye.com> iishack1.5.exe www.[yourowncompany].com 80 6969
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.
Attempting to find an executable directory...
Trying directory [scripts]
Executable directory found. [scripts]
Path to executable directory is [C:\Inetpub\scripts]
Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe
Sending the exploit...
Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you
should get a cmd prompt.
C:\> telnet www.[yourowncompany].com 6969
Trying www.[yourowncompany].com...
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\WINNT\system32>whoami
NT AUTHORITY\SYSTEM
Download the full exploit from:
http://www.eEye.com/html/advisories/IISHack1.5.zip
SOLUTION
Microsoft has already fixed this .asp language overflow in prior
hot fixes and applied it to most post service pack 6 hot fixes.
This flaw has been fixed in the latest versions of W3SVC.DLL.
Installing any recent hotfix will fix the problem.
Here is a list of _some_ MS advisories and hotfixes that will fix
the .asp language overflow vulnerability:
- MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability
- MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
- MS00-057: Patch Available for "File Permission Canonicalization" Vulnerability
- MS00-030: Patch Available for "Malformed Extension Data in URL" Vulnerability
- MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability
- MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability
- MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability
W3SVC versions greater than 720 addresses this issue. So if
you've been keeping up to date with your hot fixes then you should
not be vulnerable to this issue.