SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(Proof of Concept Exploit Described) Re: Microsoft Internet Information Server Buffer Overflow in Chunked Encoding Mechanism Lets Remote Users Run Arbitrary Code on the Server
SecurityTracker Alert ID:  1004012
SecurityTracker URL:  http://securitytracker.com/id/1004012
CVE Reference:   CVE-2002-0079, CVE-2002-0147   (Links to External Site)
Date:  Apr 10 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0, 5.0, 5.1
Description:   Two buffer overflow vulnerabilities have been reported in Microsoft's Internet Information Server (IIS) in the chunked encoding transfer processing mechanism for Active Server Pages (ASP). A remote user could cause arbitrary code to be executed.

It is reported that a remote user could overrun heap memory on the system, causing the IIS service to crash or causing arbitrary code to be executed. The code would run with System level privileges on IIS 4.0 and with Web Application Manager on later versions of IIS. The vulnerability is apparently due to an arithmetic error in the ISAPI ASP extension that enables data to be uploaded to a web server via 'chunked encoding'. The bug causes IIS to allocate a buffer that is not large enough to store the uploaded data. This reportedly makes it possible for a remote user send a chunk of data to overwrite most or all of the memory on the system.

According to the vendor, customers that have applied the IIS Lockdown Tool to configure their servers as static web servers are already protected against this vulnerability. However, the vendor still recommends applying the patch.

The vendor has assigned this flaw a maximum severity rating of 'Critical' for Internet and Intranet servers.

Microsoft credits eEye Digital Security with discovering one of the two buffer overflows. The other was reportedly discovered by Microsoft.

eEye Digital Security has provided the following demonstration exploit transcript:

**************Begin Session****************
POST /iisstart.asp HTTP/1.1
Accept: */*
Host: eeye.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

10
PADPADPADPADPADP
4
DATA
4
DEST
0
[enter]
[enter]
**************End Session******************

In this example, the default exception handler will execute from within the dllhost child process and try to copy "DATA" to "DEST". However, writeable memory is not available at the destination (0x54534544 in this example), so an access violation occurs and the structured exception handling (SEH) within the NT kernel catches it and kills the child dllhost.exe process.

Impact:   A remote user could cause the IIS service to crash or could cause arbitrary code to be executed on the server. The code would execute with System level privileges (IIS 4.0) or Web Application Manager privileges (IIS 5).
Solution:   The vendor has released a fix:

For Microsoft IIS 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931

For Microsoft IIS 5.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824

For Microsoft IIS 5.1:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857

The IIS 4.0 patch can be installed on systems running Windows NT 4.0 SP6a. The IIS 5.0 patch can be installed on systems running Windows 2000 SP1 or SP2. The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold.

Microsoft notes that the IIS 5.0 fixes will be included in Windows 2000 SP3 and the IIS 5.1 fixes will be included in Windows XP SP1.

For IIS 4.0 and 5.0, this patch reportedly supersedes the one previously provided in Microsoft Security Bulletin MS01-044.

There is a very large list of 'caveats' associated with this patch. See the Vendor URL for the list.

The vendor will issue Microsoft Knowledge Base article Q319733 shortly, to be available on the Microsoft Online Support web site.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-018.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 10 2002 Microsoft Internet Information Server Buffer Overflow in Chunked Encoding Mechanism Lets Remote Users Run Arbitrary Code on the Server



 Source Message Contents

Subject:  [VulnWatch] Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow


Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

Release Date:
00/00/2002

Severity:
High (Remote code execution)
IWAM_MACHINE Privilege Level

Systems Affected:
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0

Description:

A vulnerability in the ASP (Active Server Pages) ISAPI filter, loaded by
default on all NT4 and Windows 2000 server systems (running IIS), can be
exploited to remotely execute code of an attackers choice. The fault lies
within the decoding and interpretation of form data received by malicious
clients. By chunk encoding form data we can force IIS to overwrite 4 bytes
of arbitrary memory with data we supply.

This is a very serious vulnerability and eEye suggests that administrators
install the Microsoft supplied patch as soon as possible.

The following example will show the vulnerable condition.  We will use a
default .asp page left after install on a Windows 2000 server with the
latest service packs.

Example:


**************Begin Session****************
POST /iisstart.asp HTTP/1.1
Accept: */*
Host: eeye.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

10
PADPADPADPADPADP
4
DATA
4
DEST
0
[enter]
[enter]
**************End Session******************

Technical Description:

The example session above causes the default exception handler to execute
from within the dllhost child process.  When the default exception handler
executes a window will open with this message:


DLLHOST.EXE - Application error
The instruction at 0x77fcb397 referenced memory at 0x54534544

Notice that 0x54534544 is the hex representation of "TSED", or the value
"DEST" in little endian format. The DLLHOST.EXE process is trying to copy
"DATA" to "DEST". Because there isn't writeable memory at 0x54534544, an
access violation occurs and the structured exception handling (SEH) within
the NT kernel catches it and kills the child dllhost.exe process.

The crux of this problem lies in the fact that the memory we overwrite with
our data contains Heap Management header structures, in our case being used
by AllocateHeap(). Specifically, as we overwrote the header, we control two
four byte addresses within it. These addresses are associated with the
population and use of lookaside lists. The first four-byte address, which in
our example is overwritten by "DATA", is an address that gets copied to the
second four-byte address specified in header.  We have also overwritten the
second address, this time with "DEST". By overwriting these two addresses,
we can put four bytes anywhere in memory that the child dllhost.exe has
privileges to write to.  This allows us to overwrite function pointers,
saved instruction pointers, exception handlers, or anything else that will
allow us to control the flow of execution into our payload. We have been
most successful in exploitation by overwriting a structured exception
handler address on the stack.  Due to the fact that we supplied addresses
that aren't associated with valid lookaside lists, an exception handler will
be called, and when it does, it will call our modified routine, which points
directly into payload code.

It should be noted that while this vulnerability exists in the .ASP ISAPI, a
mechanism is still required to get the malicious request to hit the
vulnerable functions within the .ASP ISAPI. Although pages with form
submissions make it easier to demonstrate this vulnerability, there are
other methods for causing  code to execute beyond the form variable
referencing. In the above example we used a default .asp file that has
script code within it that deals with .ASP Server Variables. When the .ASP
ISAPI performs processing on the Server Variables, we are able to cause an
overflow and execute code. There are .asp files by default in IIS that allow
processing of Server Variables, which make it possible to demonstrate the
existence of this vulnerability on default installations.

Like most of the IIS vulnerabilities eEye has discovered in the past,
firewalls and intrusion detection systems do not protect from this
vulnerability.

SecureIIS - Application Firewall for Microsoft IIS

It should be noted that clients using SecureIIS 1.2.5 and above are secure
from this vulnerability. This vulnerability was discovered by the eEye team
while testing a new version of SecureIIS to help further its protection
abilities. To learn more visit http://www.eeye.com/SecureIIS

Vendor Status:
Microsoft has released a security bulletin and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

Credit:
Discovery: Riley Hassell
Exploitation Research: Riley Hassell and Ryan Permeh

Greetings:
To all the people who continue to make the security industry more exciting
with innovative research. Also to the rest of eEye, who help make all this
magic possible.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC