.HTR buffer overflow - vrata do vaÜich NT

a pokud s touto chybou rychle nezacviΦφte, je vφce ne₧ jistΘ, ₧e n∞kdo zacviΦφ s vßmi. Tedy, SKORO jistΘ.

(17.6.1999) / MS-WINNT

Buffer Overflow a souvisejφcφ bezpeΦnostnφ chyby jsou velmi, velmi Φast²mi v Internetu a TCP/IP. Princip spoΦφvß v poslßnφ n∞Φeho n∞kam - kdy to "n∞co" je pon∞kud o hodn∞ delÜφ, ne₧ se obecn∞ oΦekßvß. Pokud programßtor serveru, kter² toto "n∞co" zpracovßvß byl pon∞kud slabÜφho ducha, onen zpracovßvajφcφ kus software zpravidla zhavaruje. V p°φznivΘm p°φpad∞ prost∞ spadne. V mΘn∞ p°φznivΘm p°φpad∞ (kupodivu jich je vφce) je mo₧nΘ tφmto zp∙sobem dostat k≤d na server a tento k≤d se vykonß - stovky server∙ na celΘm sv∞t∞ byly hacknuty dφky buffer overflow dφrßm v sendmail software.

Microsoft zcela nepochybn∞ nabφdne v dohlednΘ dob∞ opravu pro ISM.DLL, nicmΘn∞ tak jako tak nemajφ .HTR soubory na ostrΘm serveru co d∞lat.

WindowsNT sv∞t prozatφm nem∞l p°φliÜ buffer overflow bezpeΦnostnφch d∞r. A₧ do ·ter² tohoto t²dne - .HTR soubory zpracovßvanΘ ISM.DLL (definovßno jako namapovan² zpracovßvaΦ) je mo₧nΘ zneu₧φt k buffer overflow a s pomocφ k≤du (viz eEye Digital Security Team - Advisories) voln∞ dostupnΘ na Internetu je mo₧nΘ na jak²koliv napadnuteln² server dostat vlastnφ software - pak u₧ je jenom krok k ovlßdnutφ celΘho serveru a hacknutφ.

ProblΘm nenφ v existenci HTR soubor∙ (viz Pozor na ism.dll v MS IIS po upgrade), ale v existenci ISAPI DLL (filtru) zpracovßvajφcφho .HTR soubory - pokud toti₧ prost∞ poÜlete ten "sprßvn∞" formßtovan² po₧adavek (HTTP GET) na zcela fiktivnφ HTR soubor, dostane jej ISM.DLL ke zpracovßnφ - a p°eteΦe mu zßsobnφk a neÜt∞stφ je dokonßno.

ODSTRAN╠N═ tohoto problΘmu je JEDNODUCH╔ - prost∞ odstra≥te p°φsluÜnΘ mapovßnφ .HTR na ISM.DLL (Microsoft Management Console, Internet Information Server, Properties od p°φsluÜnΘho stroje, zvolit WWW-Properties, zde Home Directory zßlo₧ku, kliknout Configuration a v seznamu smazat .HTR mapovßnφ). A kdy₧ u₧ budete v tom ruÜenφ, zruÜte i .IDC mapovßnφ, stejn∞ tak jako .shtm, .stm, .shtml

Microsoft zcela nepochybn∞ nabφdne v dohlednΘ dob∞ opravu pro ISM.DLL, nicmΘn∞ tak jako tak nemajφ .HTR soubory na ostrΘm serveru co d∞lat, tak₧e pokud se nauΦφte po instalaci IIS 4.0/3.0 odstra≥ovat nepot°ebnΘ asociace (filtry), bude to jenom dob°e.

JAK TO FUNGUJE?

JednoduÜe, pomocφ buffer overflow a HTTP po₧adavku na fiktivnφ .HTR soubor se na vßÜ NT server dostane Ükodφcφ k≤d - ten obsahuje k≤d pot°ebn² pro stßhnutφ programu (v konkrΘtnφm p°φpad∞ jde o NetCat) a potΘ spuÜt∞nφ programu - inetinfo.exe padne, Ükodφcφ k≤d stßhne a spustφ program.

SpuÜt∞n² program poskytn∞ na urΦitΘm portu (nap°. 99) telnet (nebo jin²) p°φstup k WindowsNT nebo nainstaluje jin², podstatn∞ d∙mysln∞jÜφ program (t°eba NetBus Φi BackOrifice). PotΘ u₧ staΦφ jenom provΘst p°ipojenφ na stroj, kter² jste prßv∞ napadli a dßl pokraΦovat dle libosti.

SpuÜt∞n² program b∞₧φ zpravidla v kontextu SYSTEM u₧ivatele a podle toho takΘ zßvisφ, co m∙₧e ud∞lat. Ka₧dopßdn∞ umo₧≥uje dostat se ke vÜem soubor∙m, databßzφm, skript∙m, atd.

Mimo to, je samoz°ejm∞ inetinfo.exe mrtvΘ a server neodpovφdß, klasickΘ DoS (neboli Denial Of Service)

Nenφ vÜechno nicmΘn∞ tak ΦernΘ nebo bφlΘ jak to vypadß. Na ₧ßdnΘm z naÜich WindowsNT 4.0 server∙ se nßm nepoda°ilo vyu₧φt bezpeΦnostnφ dφru k spuÜt∞nφ NetCat software - jedinΘ co se v₧dy 100% poda°ilo, je DoS na inetinfo.exe (spadne bez Dr.Watson Φi jakΘkoliv znßmky pßdu). PotΘ jeÜt∞ dojde ke sta₧enφ NCX99.EXE, ale to se nespustφ. Binßrnφ k≤d implantovan² dφky buffer overflow prost∞ nefunguje - proΦ tomu tak je? Pravd∞podobn∞ je prost°edφ okolo jinΘ (klidn∞ to m∙₧e b²t vliv ΦeskΘho locale Φi cokoliv jinΘho) - nic se nem∞nφ na faktu, ₧e n∞kdo m∙₧e velmi urΦit∞ "poopravit" k≤d, tak aby fungoval i na ΦeskΘ servery.

Microsoft Security Bulletin (MS99-019)

Workaround Available for "Malformed HTR Request" Vulnerability

Originally Posted: June 15, 1999

Summary
Microsoft has released a patch that eliminates a vulnerability in Microsoft« Internet Information Server 4.0. The vulnerability could allow denial of service attacks against an IIS server or, under certain conditions, could allow arbitrary code to be run on the server.

Microsoft has issued this bulletin to advise customers of steps they can take to protect themselves against this vulnerability. A patch to eliminate this vulnerability is being developed, and an update to this bulletin will be released to advise customers when it is available.

Issue
IIS supports several file types that require server-side processing. When a web site visitor requests a file of one of these types, an appropriate filter DLL processes it. A vulnerability exists in ISM.DLL, the filter DLL that processes .HTR files. HTR files enable remote administration of user passwords.

The vulnerability involves an unchecked buffer in ISM.DLL. This poses two threats to safe operation. The first is a denial of service threat. A malformed request for an .HTR file could overflow the buffer, causing IIS to crash. The server would not need to be rebooted, but IIS would need to be restarted. The second threat would be more difficult to exploit. A carefully-constructed file request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither scenario could occur accidentally. This vulnerability does not involve the functionality of the password administration features of .HTR files.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it.

Affected Software Versions

Microsoft Internet Information Server 4.0

What Microsoft is Doing
Microsoft has provided a workaround that fixes the problem identified. The workaround is discussed below in What Customers Should Do.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.

What Customers Should Do
Microsoft highly recommends that customers disable the script mapping for .HTR files as follows:

From the desktop, start the Internet Service Manager by clicking Start | Programs | Windows NT 4.0 Option Pack | Microsoft Internet Information Server | Internet Service Manager
Double-click "Internet Information Server"
Right-click on the computer name and select Properties
In the Master Properties drop-down box, select "WWW Service", then click the "Edit" button
Click the "Home Directory" tab, then click the "Configuration" button
Highlight the line in the extension mappings that contains ".HTR", then click the "Remove" button.
respond "yes" to "Remove selected script mapping?" say yes, click OK 3 times, close ISM

A patch will be available shortly to eliminate the vulnerability altogether. Customers should monitor http://www.microsoft.com/security for an announcement when the patches are available.

Microsoft recommends that customers review the IIS Security Checklist at http://www.microsoft.com/security/products/iis/CheckList.asp

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-019, Workaround Available for "Malformed HTR Request" Vulnerability, (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-019.asp.
IIS Security Checklist, http://www.microsoft.com/security/products/iis/CheckList.asp

Obtaining Support on this Issue
If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp.

Revisions

June 15, 1999: Bulletin Created.

For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.