Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
I apologize for picking up this exhaustive thread once more for some
additional Microsoft bashing.
Three new vulnerabilities popped up (attached). How does this nicely bribed
think tank Alexis de Tocqueville explain the discovery of those
vulnerabilities if closed-source is soooo much safer? Apparently you don't
need the source to discover security holes. Or does anybody want to sell me
that M$ published these holes on its own initiative??
Mark
--------------------------------------------------------------
------- Forwarded Message
Date: Thu, 13 Jun 2002 11:10:48 +0100
From: Matt Moore <EMAIL:PROTECTED>
Subject: wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
Westpoint Security Advisory
Title: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
Risk Rating: Medium
Software: Microsoft SQLXML 3.0 / IIS 5.0 / SQLServer 2000
Platforms: Win2K
Vendor URL: www.microsoft.com
Author: Matt Moore <EMAIL:PROTECTED>
Date: 12 June 2002
Advisory ID#: wp-02-0007.txt
CVE#: CVE-CAN-2002-0186 (XSS) and CVE-CAN-2002-0187 (Overflow)
Overview:
=========
SQLXML allows XML data to be transferred to and from SQL Server, returning
database queries as XML.
SQlXML has two vulnerabilities: a buffer overflow in the SQLXML ISAPI
filter, and a cross site scripting vulnerability.
More complete details on how SQLXML works can be found in Microsoft's
advisory (see below).
Details:
========
Cross Site Scripting
- --------------------
Part of the functionality of SQLXML is being able to run SQL queries via a
URL such as:
IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML
This will return an XML document containing the query results.
It is possible to specify an extra parameter in the query, 'root', which
returns the data as above, but with a 'root' tag of the xml document as
the user specified.
This feature can be used to perform cross site scripting attacks against
the web application running on the server:
IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML&ro
ot=<SCRIPT>alert(document.domain)</SCRIPT>
Best practice recommends against allowing ad hoc URL queries against a
database.
SQLXML ISAPI Filter Buffer Overflow
- -----------------------------------
When making SQL queries using the 'sql=' functionality of SQLXML it is
possible to specify certain parameters which affect the returned XML
(e.g. xsl=). One of these parameters lets you set a content-type.
It's possible to crash IIS by requesting an overly long string in the
?contenttype= parameter. This could also allow arbitrary code to be run
on the server in the context of the SYSTEM account.
A normal request looks like (in this case, a direct sql= query):
IIS-server/demos?sql=select+*+from+Customers+as+Customer+FOR+XML+auto&root=r
oot&xsl=custtable.xsl&contenttype=text/html
By specifying >240 characters for the content-type parameter it is possible
to make inetinfo.exe crash.
E.g. (using a 'template' file rather than a direct query, in this case):
IIS-Server/Nwind/Template/catalog.xml?contenttype=text/AAAA...AAA
Patch Information:
- ------------------
Microsoft has released patches and an advisory for the identified issues.
These are available from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-030.asp
This advisory is available online at:
http://www.westpoint.ltd.uk/advisories/wp-02-0007.txt
From: "Mark Litchfield" <EMAIL:PROTECTED>
Subject: Microsoft RASAPI32.DLL
Date: Thu, 13 Jun 2002 14:23:59 -0700
NGSSoftware Insight Security Research Advisory
Name: Buffer Overflow in Microsoft Rasapi32.dll
Systems Affected: WinNT, Win2K, XP, Microsoft Routing And Remote Access
Server
("Steelhead")
Severity: High
Category: Buffer Overrun / Privilege Escalation
Vendor URL: http://www.microsoft.com/
Author: Mark Litchfield (EMAIL:PROTECTED)
Date: 13th June 2002
Advisory number: #NISR13062002
Vendor Notification Details
***************************
The VNA for this issue can be found at
http://www.nextgenss.com/vna/ms-ras.txt
The elapsed time between notification and fix was seven months.
Description
***********
Rasapi32.dll contains an unchecked buffer, essentially allowing a local user
to overflow any executablethat has a GUI help feature or connects to the
internet.
This can be used to obtain system privileges on a machine that an attacker
can interactively log on to, or to "Trojan" a machine on which they can edit
the
phone book properties.
Details
*******
Rasapi32.dll ships with all recent Microsoft operating systems, being
described as the "Dial-Up Networking Dynamic Linked Library and a Remote
Access API".
The overflow occurs when the code that parses RAS phonebook entries runs;
this can occur when a user logs on interactively, or when a user views the
dial-up
connection properties. Specifically, an overly-long 'script name' (stored in
the Rasphone.pbk file)
will cause the overflow.
A possible (interactive) exploit scenario would be:
- - Log on to the target machine.
- - Create a batch file adding your account to the "administrators" group and
paste exploit code that will run the batch file into the 'rasphone.pbk' file.
- - Log off user.
- - When presented with the logon dialog box, select "Log on using dial-up
connection".
- - At this point an access violation occurs in Winlogon.exe executing your
batch file with system privileges. Depending on how the exploit code is
written, the
operating system is likely to 'blue screen' at this point.
- - After the blue screen, logon with your user name and password to access
your system account.
An interesting aspect of this overflow is that it exploits the logon dialog
that occurs after the Secure Attention Sequence (Crtl+Alt+Del), which is
designed to p
revent other programs or processes from intervening during authentication
(that is, to
prevent trojan-horse programs from being executed during the authentication
process),
effectively turning a defence mechanism into a security problem.
Another interesting point is that on our Windows 2000 test platform the
overflow string was Unicode, but on our Windows XP and Windows NT test
platforms the overflow string was ASCII.
The overflow can also be used to "poison" a machine such that the next time
a dial-up connection is used, some exploit code is run. Interestingly, it is
possible to exploit the problem using most windows applications, via the
"Internet
Options" menu item accessible via the help menu. For example, to cause the
overrun
to occur in Solitaire (SOL.exe), open Solitaire, select help, contents,
options,
internet options and finally connections.
Fix Information
***************
NGSSoftware alerted Microsoft to these problems in November of last year.
Microsoft's advisory on this issue can be found at
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp
Microsoft's advisory contains patch download information, as well as a
discussion of the issue.
A check for this issue has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.
Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
From: "Ryan Permeh" <EMAIL:PROTECTED>
To: <EMAIL:PROTECTED>
Subject: ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow
[AD20020612]
Date: Wed, 12 Jun 2002 15:06:59 -0700
Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow
Release Date:
June 12, 2002
Severity:
High (Remote code execution)
Systems Affected:
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0
A vulnerability in transfer chunking, in combination with the processing of
HTR request sessions can be exploited to remotely execute code of an
attackers choice on the vulnerable machine. By sending a carefully crafted
session, an attacker can overwrite a section of the heap. Data structures in
the overwritten heap can be manipulated to move attacker-supplied data to
attacker supplied memory addresses, thereby altering the flow of execution
into an attacker supplied payload.
This is a very serious vulnerability and eEye suggests that administrators
install the Microsoft supplied patch as soon as possible.
The following example will show the vulnerable condition. The dllhost.exe
child process will silently die because the developers have replaced the
default exception filter. So if you want to examine this closer, load a
debugger up on the dllhost child process before you send this example
session over the wire.
**************Begin Session****************
POST /EEYE.htr HTTP/1.1
Host: 0day.big5.com
Transfer-Encoding: chunked
20
XXXXXXXXXXXXXXXXXXXXXXXXEEYE2002
0
[enter]
[enter]
**************End Session******************
Technical Description:
The example session above overwrites a section of the heap that contains
data structures related to the memory management system. By manipulating the
content of these structures we can overwrite an arbitrary 4 bytes of memory
with an attacker supplied address.
While many may believe that the risk for these types of vulnerabilities is
fairly low due to the fact that addressing is dynamic and brute force
techniques would need to be use in an attack, eEye strongly disagrees. This
premise is false as successful exploitation can be made with one attempt,
across dll versions. An attacker can overwrite static global variables,
stored function pointers, process management structures, memory management
structures, or any number of data types that will allow him to gain control
of the target application in one session.
SecureIIS(tm) Application Firewall for Microsoft IIS
It should be noted that clients using any version of SecureIIS from eEye
Digital Security are secure from this vulnerability. This vulnerability was
discovered by the eEye team while testing a new version of SecureIIS to help
further its protection abilities from similar classes of attack. To learn
more visit http://www.eeye.com/SecureIIS
Vendor Status:
Microsoft has released a security bulletin and patch:
http://www.microsoft.com/technet/security/
Beyond installing the Microsoft security patch it is also recommend to
disable the .htr ISAPI filter if you have not already done so. Microsoft's
security advisory references more information on the steps of how to disable
the .htr ISAPI filter.
Credit: Riley Hassell
Greetings: Caesar, K2, Dark Spyrit, Solar Designer, Joey, Halvar, Gera,
Scut, Ilfak Guilfanov. And last but not least, Kasia and Jenn ;) and as
always, www.securityfocus.com.
Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail EMAIL:PROTECTED for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
EMAIL:PROTECTED
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact