|
|
|
|
| |
There is a buffer overflow vulnerability in IIS's ASP ISAPI file parsing mechanism. This can be exploited to gain SYSTEM level access on the vulnerable machine.
This is not a remote exploit, but a local one (although, this advisory contains information on how this could be exploited remotely). It is local in the sense that you need to actually create an "evil" .asp file that when parsed by IIS will cause inetinfo.exe to buffer overflow and therefore allow you to take control of the local server as SYSTEM. |
| |
Credit:
The information has been provided by Marc Maiffret.
|
| |
Vulnerable systems:
Windows NT 4.0 IIS 4.0 SP6
Immune systems:
Windows NT 5.0 IIS 5.0
This vulnerability is local since it requires you to have the power to create ASP files, but since a lot of web hosting company or internet service provider allow you to do so they there are hosts out there that are vulnerable to this attack. Basically any client (or attacker) who can update their website, i.e. upload a new default.asp or anything.asp, can then execute code as SYSTEM and therefore take complete control of your server.
Vulnerable part of ASP:
Here is an example .asp file that will cause NT4+IIS4's inetinfo.exe to overflow.
----start-cut-of-example.asp----
<SCRIPT LANGUAGE="[buffer]" RUNAT="Server">
</SCRIPT>
----start-cut-of-example.asp----
Where [buffer] is 2220 characters or more. This overflow is exploitable - see below.
Scenarios:
1) A sample situation would be a server that has a guest book / message board system that does not strip out SCRIPT comments when it writes to its returned .asp file. The attacker could go to a web board and paste in the contents of the script language overflow and submit the message. Then once they requested the .asp file that has that message (the embedded overflow message) it would cause IIS to parse that .asp file, overflow, and execute their code.
Another example situation would be to couple this attack with the recent IIS Unicode bug to use cmd.exe to echo the contents of your evil.asp to the remote system then when you request evil.asp your code is executed as SYSTEM.
Vendor Status:
Microsoft has already fixed this .asp language overflow in prior hot fixes and applied it to most post service pack 6 hot fixes. This flaw has been fixed in the latest versions of W3SVC.DLL. Installing any recent hotfix will fix the problem.
Here is a list of _some_ MS advisories and hotfixes that will fix the .asp language overflow vulnerability:
MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability
MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
MS00-057: Patch Available for "File Permission Canonicalization" Vulnerability
MS00-030: Patch Available for "Malformed Extension Data in URL" Vulnerability
MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability
MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability
MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability
W3SVC versions greater than 720 addresses this issue. Therefore, if you've been keeping up to date with your hot fixes then you should not be vulnerable to this issue.
Exploit:
Download the full exploit from:
http://www.eEye.com/html/advisories/IISHack1.5.zip
|
|
|
|
|
