Penetration Testing mailing list archives
Re: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability
From: Gerardo Richarte <core.lists.pentest () corest com>
Date: Fri, 21 Mar 2003 12:24:56 -0300
Frank Knobbe wrote:
However, those same folks said that it is not the LOCK method that is vulnerable, but in fact only the GET method. I heard reports from guys who just couldn't make WebDAV crash with GET, but didn't have a problem with SEARCH and PROPFIND. Personally, I'm wondering if ISS was just spreading misinformation to confuse the potential worm-writers, but I'm not making any such accusation. (Misinformation wouldn't be effective anyway. But then again, neither is holding back the details for a sig, but explaining how it works...:/
In did, the problem is not in GET nor SEARCH nor LOCK nor any other method. AFAIK. While writing the exploit, and heavily basing our work on Renaud's nessus script (thanks Renaud) http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/iis_webdav_overflow.nasl we found out that the problem is not in the method, it's rather in the embeded SQL sentence: ... '<g:sql>\r\n' + 'Select "DAV:displayname" from scope()\r\n' + '</g:sql>\r\n' + ... the function scope() somehow is resolved to the Unicode string scope('"c:\inetpub\wwwroot\AAAAAAAAAAAA... (I think it's not unicode but rather just wchars, UTF-16, or however it's the official name) and this is what's causing the overflow actually... well... I think... mmm... let me try something... well... for us, it's not crashing with GET nor LOCK nor PROPFIND nor XXX... only with SEARCH, but, I bet the tests were too fast to be correct. I'll try again latter today, and if there is any change I'll let you know. So, being that the problem is present when using an SQL statement calling scope() I wonder how many other ways are there to call an SQL statement (only SEARCH, or all the other methods also... or does IIS care about the method at all?). Is there another vuln function like scope is? [apparently scope is calling "strcat()" on a wchar string]. Is there another way to force the problem in ntdll.dll without even having to send 64k bytes of data? (and just create an SQL statement that will generate 64K of data)... who knows... is the patch correct at all? heh, who knows... what's the patch patching? more $0.02 to the piggy bank gera --- for a personal reply use: gera () corest com ---------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM: http://www2.stillsecure.com/download/sf_vuln_list.html
Current thread:
- Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Gary O'leary-Steele (Mar 18)
- Re: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Nicolas Gregoire (Mar 18)
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Curt Purdy (Mar 18)
- <Possible follow-ups>
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Royans Tharakan (Mar 18)
- Re: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Renaud Deraison (Mar 19)
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Rob Shein (Mar 19)
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Royans Tharakan (Mar 19)
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Frank Knobbe (Mar 19)
- Re: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Gerardo Richarte (Mar 21)
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Frank Knobbe (Mar 19)
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Aleksander P. Czarnowski (Mar 19)
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Noonan, Wesley (Mar 19)
- RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Florian Hines (Mar 19)
- Re: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Dave Aitel (Mar 20)
- Re: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Nicolas Gregoire (Mar 18)