SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Microsoft Internet Security and Acceleration Server Vendors:   Microsoft
Microsoft Internet Security and Acceleration Server May Allow Remote Users to Execute Arbitrary Code on the Firewall
SecurityTracker Alert ID:  1001445
SecurityTracker URL:  http://securitytracker.com/id/1001445
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 28 2001
Impact:   Execution of arbitrary code via network, User access via network


Description:   Expanding on a previously announced denial of service vulnerability with the Microsoft firewall product, it was reported that a remote user can execute arbitrary code on the Microsoft Internet Security and Accleration Server in certain configurations.


The previous alert (http://www.securitytracker.com/alerts/2001/Apr/1001319.html) reported a denial of service condition when the product is used in proxy mode.

This alert expands on the earlier report to add that a remote user may be able to execute arbitrary code on the server. Using a request of the format "GET http://host/<2338 x nop><offset to user buffer><stored retaddress>", it is apparently possible to overwrite the heap with a saved return address and the address of the executable code. This reportedly does not work every time, but more often than not.
Impact:   A remote user can execute arbitrary code on the Microsoft Internet Security and Accleration Server in certain configurations.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Report Reaffirms Vulnerability) Re: Microsoft Internet Security and Acceleration Server May Allow Remote Users to Execute Arbitrary Code on the Firewall   (Barnaby Jack <dspyrit@SUBDIMENSION.COM>)
The author of the vulnerability alert confirms the vulnerability.


 Source Message Contents
Date:  Sat, 28 Apr 2001 12:48:10 +1200
Subject:  Re: Microsoft ISA Server Vulnerability


This was tested with the standard edition available on the Microsoft site..

Details -

04/27/2001  01:56a             369,936 W3PROXY.EXE

Request - GET http://host/<2338 x nop><offset to user buffer><stored ret
address>

We found we needed to send this request twice to reach the code location
where we are able to execute our buffer.. the heap corruption can lead to
random crash locations - but we hit this point more often than not - the
fact is, it is possible.

EAX=41414141 EBX=02492394 ECX=78787878 EDX=0105B9F8 ESI=0105B9F8
EDI=024A25F0 EBP=0621FE1C ESP=0621FDF8 EIP=0101D72F o d I s z A p c
CS=001B DS=0023 SS=0023 ES=0023 FS=0038 GS=0000 ds:41414141=FFFFFFFF

001b:0101d72f   mov     [eax], ecx
001b:0101d731   mov     [ecx+04], eax
001b:0101d734   call    [ntdll!RtlLeaveCriticalSection]
001b:0101d73a   mov     eax, edi
001b:0101d73c   pop     edi
001b:0101d73d   pop     esi
001b:0101d73e   ret

(PASSIVE)-KTEB(854083E0)-TID(05C4)--W3PROXY!.text+0001C741----------

As you can see we are able to define the values of ecx and eax... we can
write whatever data we want to a location of our choosing.
By overwriting eax with a saved return address and ecx with the address of
our buffer we can execute our code.

We had a couple of inventive ways of getting the needed stack values..
overwriting string locations with the data and having the product output the
values was one. A few possibilities.

Am I done?

dark spyrit.


----- Original Message -----
From: "Microsoft Security Response Center" <secure@MICROSOFT.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Saturday, April 28, 2001 2:54 AM
Subject: Re: Microsoft ISA Server Vulnerability


Hi -

You're right that the root problem here is a heap corruption.  The
Knowledge Base article we published on the subject
(http://support.microsoft.com/support/kb/articles/q295/2/79.asp,
"Cause") notes that this is the case.  As part of our investigation, we
examined whether the heap corruption could, in this case, be exploited
to run code, but we were unable to find any way to do so.  If you can
demonstrate an ability to run code via the exploit, please contact us
immediately as we'd be most interested in investigating the issue
further.  Regards,

Scott Culp
Security Program Manager
Microsoft Corporation

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC