| Home | Blog | Papers | Advisories | Alerts | Tools | Services | About | eEye.com |
 |
 |
|
AdvisoriesPublished Advisories Retina vs. IIS4, Round 2 - The Exploit Release Date: June 16, 1999 Systems Affected: Internet Information Server 4.0 (IIS4) Microsoft Windows NT 4.0 SP3 Option Pack 4 Microsoft Windows NT 4.0 SP4 Option Pack 4 Microsoft Windows NT 4.0 SP5 Option Pack 4 Overview: We contemplated releasing this exploit and decided to do it after Microsoft neglected to give it the attention it deserves. After the fifth day of reporting the bug to Microsoft, they stopped responding to our eMails. On the 8th day we felt that it was our duty to make our voice heard. Technical Details: Here Is Why We are a full disclosure security team, and we were not working under any non disclosure agreements with anyone. Our responsibility to our clients and the whole network community is to disclose as many details as possible, this is how other developers can pick up where we stopped and explore the exploit in different directions, this is the way we can contribute to the security community and keep software vendors working hard at producing more robust products. This exploit demonstrates the seriousness of the hole, YES this is a very serious hole and needs to be given the attention it deserves. If our team starts hiding the facts, we'll be no better than a software vendor that rushes insecure products to market. So here it goes... The Target Lets say for this example we are targeting some random fortune 500 company. Take your pick. We want to pretend this company has some "state of the art" security. They are locked down behind a Cisco Pix, and are being watched with the best of Intrusion Detection software. The server only allows inbound connections to port 80. Let's Dance We've crafted our exploit to overflow the remote machine and download and execute a trojan from our web server. The trojan we are using for this example is, ncx.exe. Ncx.exe is a hacked up version of netcat.exe. The hacked up part of this netcat is that it always passes -l -p 80 -t -e cmd.exe as its argument. That basically means netcat is always going to bind cmd.exe to port 80. The exe has also been packed slightly to make it smaller. Instead of a 50k footprint its 31k. So we run our exploit: Note: Once we type exit in the telnet session our trojan exe, ncx.exe is unloaded and is no longer listening on port 80. Therefore the web service can restart and everything can seem back to normal. Now the example above was a some what quick demonstration of how this could be used. Some things were left out because this advisory is big enough as it is. Special Thanks Goes to professor barns@eeye.com for coding this exploit and demonstrating his Kung Fu style. Copyright (c) 1998-2009 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. |
|
Copyright © 1998-2008 eEye Digital Security