.HTR buffer overflow - vrata do vaÜich NT
a pokud s touto chybou rychle nezacviΦφte, je vφce ne₧ jistΘ, ₧e n∞kdo zacviΦφ s vßmi. Tedy, SKORO jistΘ.
(17.6.1999) / MS-WINNT
Buffer Overflow a souvisejφcφ bezpeΦnostnφ chyby jsou velmi, velmi Φast²mi v
Internetu a TCP/IP. Princip spoΦφvß v poslßnφ n∞Φeho n∞kam - kdy to
"n∞co" je pon∞kud o hodn∞ delÜφ, ne₧ se obecn∞ oΦekßvß. Pokud
programßtor serveru, kter² toto "n∞co" zpracovßvß byl pon∞kud slabÜφho
ducha, onen zpracovßvajφcφ kus software zpravidla zhavaruje. V p°φznivΘm
p°φpad∞ prost∞ spadne. V mΘn∞ p°φznivΘm p°φpad∞ (kupodivu jich je vφce) je
mo₧nΘ tφmto zp∙sobem dostat k≤d na server a tento k≤d se vykonß -
stovky server∙ na celΘm sv∞t∞ byly hacknuty dφky buffer overflow dφrßm v sendmail
software.
|
Microsoft zcela nepochybn∞
nabφdne v dohlednΘ dob∞ opravu pro ISM.DLL, nicmΘn∞ tak jako tak nemajφ .HTR
soubory na ostrΘm serveru co d∞lat. |
|
WindowsNT sv∞t prozatφm nem∞l p°φliÜ buffer overflow bezpeΦnostnφch
d∞r. A₧ do ·ter² tohoto t²dne - .HTR soubory zpracovßvanΘ ISM.DLL
(definovßno jako namapovan² zpracovßvaΦ) je mo₧nΘ zneu₧φt k buffer overflow
a s pomocφ k≤du (viz eEye
Digital Security Team - Advisories) voln∞ dostupnΘ na Internetu je mo₧nΘ na
jak²koliv napadnuteln² server dostat vlastnφ software - pak u₧ je jenom krok k
ovlßdnutφ celΘho serveru a hacknutφ.
ProblΘm nenφ v existenci HTR soubor∙ (viz Pozor na ism.dll v MS IIS po
upgrade), ale v existenci ISAPI DLL (filtru) zpracovßvajφcφho .HTR soubory - pokud
toti₧ prost∞ poÜlete ten "sprßvn∞" formßtovan² po₧adavek (HTTP GET) na
zcela fiktivnφ HTR soubor, dostane jej ISM.DLL ke zpracovßnφ - a p°eteΦe mu
zßsobnφk a neÜt∞stφ je dokonßno.
ODSTRAN╠N═ tohoto problΘmu je JEDNODUCH╔ -
prost∞ odstra≥te p°φsluÜnΘ mapovßnφ .HTR na ISM.DLL (Microsoft Management
Console, Internet Information Server, Properties od p°φsluÜnΘho stroje, zvolit
WWW-Properties, zde Home Directory zßlo₧ku, kliknout Configuration a v seznamu smazat
.HTR mapovßnφ). A kdy₧ u₧ budete v tom ruÜenφ, zruÜte i .IDC
mapovßnφ, stejn∞ tak jako .shtm, .stm, .shtml
Microsoft zcela nepochybn∞ nabφdne v dohlednΘ dob∞ opravu pro ISM.DLL,
nicmΘn∞ tak jako tak nemajφ .HTR soubory na ostrΘm serveru co d∞lat, tak₧e
pokud se nauΦφte po instalaci IIS 4.0/3.0 odstra≥ovat nepot°ebnΘ asociace (filtry),
bude to jenom dob°e.
|
JAK TO FUNGUJE?
JednoduÜe, pomocφ buffer overflow a HTTP po₧adavku na
fiktivnφ .HTR soubor se na vßÜ NT server dostane Ükodφcφ k≤d - ten obsahuje k≤d
pot°ebn² pro stßhnutφ programu (v konkrΘtnφm p°φpad∞ jde o
NetCat) a potΘ spuÜt∞nφ programu - inetinfo.exe padne, Ükodφcφ
k≤d stßhne a spustφ program.
SpuÜt∞n² program poskytn∞ na urΦitΘm portu (nap°. 99) telnet
(nebo jin²) p°φstup k WindowsNT nebo nainstaluje jin², podstatn∞ d∙mysln∞jÜφ
program (t°eba NetBus Φi BackOrifice). PotΘ u₧ staΦφ jenom provΘst
p°ipojenφ na stroj, kter² jste prßv∞ napadli a dßl pokraΦovat dle libosti.
SpuÜt∞n² program b∞₧φ zpravidla v kontextu SYSTEM u₧ivatele a
podle toho takΘ zßvisφ, co m∙₧e ud∞lat. Ka₧dopßdn∞ umo₧≥uje
dostat se ke vÜem soubor∙m, databßzφm, skript∙m, atd.
Mimo to, je samoz°ejm∞ inetinfo.exe mrtvΘ a server neodpovφdß,
klasickΘ DoS (neboli Denial Of Service) |
|
Nenφ vÜechno nicmΘn∞ tak ΦernΘ nebo bφlΘ
jak to vypadß. Na ₧ßdnΘm z naÜich WindowsNT 4.0 server∙ se nßm nepoda°ilo
vyu₧φt bezpeΦnostnφ dφru k spuÜt∞nφ NetCat software - jedinΘ co se v₧dy 100%
poda°ilo, je DoS na inetinfo.exe (spadne bez Dr.Watson Φi jakΘkoliv znßmky pßdu). PotΘ
jeÜt∞ dojde ke sta₧enφ NCX99.EXE, ale to se nespustφ.
Binßrnφ k≤d implantovan² dφky buffer overflow prost∞ nefunguje
- proΦ tomu tak je? Pravd∞podobn∞ je prost°edφ okolo jinΘ (klidn∞
to m∙₧e b²t vliv ΦeskΘho locale Φi cokoliv jinΘho) - nic se nem∞nφ na faktu, ₧e
n∞kdo m∙₧e velmi urΦit∞ "poopravit" k≤d, tak aby fungoval
i na ΦeskΘ servery.
Workaround Available for "Malformed HTR Request" Vulnerability
Originally Posted: June 15, 1999
Summary
Microsoft has released a patch that eliminates a vulnerability in Microsoft« Internet
Information Server 4.0. The vulnerability could allow denial of service attacks against an
IIS server or, under certain conditions, could allow arbitrary code to be run on the
server.
Microsoft has issued this bulletin to advise
customers of steps they can take to protect themselves against this vulnerability. A patch
to eliminate this vulnerability is being developed, and an update to this bulletin will be
released to advise customers when it is available.
Issue
IIS supports several file types that require server-side processing. When a web site
visitor requests a file of one of these types, an appropriate filter DLL processes it. A
vulnerability exists in ISM.DLL, the filter DLL that processes .HTR files. HTR files
enable remote administration of user passwords.
The vulnerability involves an unchecked buffer
in ISM.DLL. This poses two threats to safe operation. The first is a denial of service
threat. A malformed request for an .HTR file could overflow the buffer, causing IIS to
crash. The server would not need to be rebooted, but IIS would need to be restarted. The
second threat would be more difficult to exploit. A carefully-constructed file request
could cause arbitrary code to execute on the server via a classic buffer overrun
technique. Neither scenario could occur accidentally. This vulnerability does not involve
the functionality of the password administration features of .HTR files.
While there are no reports of customers being
adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin
to allow customers to take appropriate action to protect themselves against it.
Affected
Software Versions
- Microsoft Internet Information Server 4.0
What Microsoft
is Doing
Microsoft has provided a workaround that fixes the problem identified. The workaround is
discussed below in What Customers Should Do.
Microsoft also has sent this security bulletin
to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product
Security Notification Service for more information about this free customer
service.
What Customers
Should Do
Microsoft highly recommends that customers disable the script mapping for .HTR files as
follows:
- From the desktop, start the Internet Service
Manager by clicking Start | Programs | Windows NT 4.0 Option Pack | Microsoft Internet
Information Server | Internet Service Manager
- Double-click "Internet Information
Server"
- Right-click on the computer name and select
Properties
- In the Master Properties drop-down box, select
"WWW Service", then click the "Edit" button
- Click the "Home Directory" tab, then
click the "Configuration" button
- Highlight the line in the extension mappings
that contains ".HTR", then click the "Remove" button.
- respond "yes" to "Remove selected
script mapping?" say yes, click OK 3 times, close ISM
A patch will be available shortly to eliminate
the vulnerability altogether. Customers should monitor http://www.microsoft.com/security for
an announcement when the patches are available.
Microsoft recommends that customers review the
IIS Security Checklist at http://www.microsoft.com/security/products/iis/CheckList.asp
More
Information
Please see the following references for more information related to this issue.
Obtaining
Support on this Issue
If you require technical assistance with this issue, please contact Microsoft Technical
Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp.
Revisions
|
- June 15, 1999: Bulletin Created.
|
For additional security-related information
about Microsoft products, please visit http://www.microsoft.com/security
THE INFORMATION PROVIDED IN THE
MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT
CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.