ISAPI DLL Buffer Overflows


As part of its installation process, IIS installs several ISAPI extensions -- . dlls that provide extended functionality. Among these is idq.dll, which is a component of Index Server (known in Windows 2000 as Indexing Service) and provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files).

Recently, buffer overrun security vulnerability was detected because idq.dll contained an unchecked buffer in a section of code that handled input URLs. An attacker who could establish a web session with a server on which idq.dll was installed could conduct a buffer overrun attack and execute code on the web server. Idq.dll runs in the System context, therefore exploiting the vulnerability would give the attacker complete control of the server and allow him to take any desired action on it.

Exploitation of the buffer overflow involves sending an overlong variable to idq.dll, as shown in the following example, where [ buffer ] is equivalent to approximately 240 bytes:

GET / null.ida? [buffer] =X HTTP/1.1

Host: [arbitrary_value]

The buffer overrun occurs before any indexing functionality is requested . As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present and the attacker were able to establish a web session, he could exploit the vulnerability.

An attacker who successfully exploited this vulnerability could gain complete control over an affected web server. This would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group .

Threat  

Exploits

Perhaps the most prolific exploits that took advantage of the buffer overflow vulnerability are the code red and nimda worm. These worms are discussed in detail in the module on viruses. A worm is a generic term for a piece of code that replicates itself on a network. Recently, worms have been seen to exploit some popular remote security flaw to infect systems, take control of the victim, and causes damage before setting about launching new attacks against further victims.

start sidebar
IPP Printer Overflow
  • There is a buffer overflow in IIS within the ISAPI filter that handles .printer files (c:\winnt\system32\msw3prt.dll) that provides support for the Internet Printing Protocol (IPP)

  • IPP enables the web-based control of various aspects of networked printers.

  • The vulnerability arises when a buffer of approximately 420 bytes is sent within the HTTP host.

    GET /NULL.printer HTTP/1.0 HOST: [buffer]

end sidebar
 
Note  

Internet Printing Protocol

Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry - standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default as part of Windows 2000 but which can only be accessed via IIS 5.0.

Threat  

Vulnerability

There was a buffer overrun vulnerability that resulted because the ISAPI extension contained an unchecked buffer in a section of code that handled input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of his choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable him to take virtually any action he chose.

The attacker could exploit the vulnerability against any server with which he could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open .

Windows 2000 Internet printing ISAPI extension contains msw3prt.dll, which handles user requests . Security vulnerability, discovered by Riley Hassell from eEye, in msw2prt.dll, does not correctly perform input validation checking allowing an attacker to overflow a buffer and run any program in the SYSTEM context.

Due to the unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .print request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. A remote command shell is trivial for the attacker to execute and destructive for the web site because it allows the attacker complete control over the web server. If a web server would stop responding in a buffer overflow condition and Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack. This however makes it easier for remote attacks to execute code against Windows 2000 IIS 5.0 web servers. If Web-based Printing has been configured with a group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings.




Staf of EC-Council - Ethical Hacking Student Courseware. Certidied Ethical Hacker-Exam 312-50 (EC-Council E-Business Certification Series)
Staf of EC-Council - Ethical Hacking Student Courseware. Certidied Ethical Hacker-Exam 312-50 (EC-Council E-Business Certification Series)
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 109

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net