Source: http://aluigi.org/adv/snabase_1-adv.txt ####################################################################### Luigi Auriemma Application: Microsoft Host Integration Server http://www.microsoft.com/biztalk/en/us/host-integration.aspx?pf=true Versions: <= 8.5.4224.0 Platforms: Windows Bugs: various Denial of Service vulnerabilities Exploitation: remote, versus server Date: 11 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Microsoft Host Integration Server technologies and tools enable enterprise organizations to integrate existing IBM host systems, programs, messages and data with new Microsoft server applications." ####################################################################### ======= 2) Bugs ======= The following are only Denial of Service vulnerabilities and there are for sure some others but sincerely who cares? Just for quick reference... A] -- Endless loop affecting all the services that use the TCP protocol so snabase.exe on port 1478, all the snalink.exe on their dynamic ports, snaservr.exe, mngagent.exe and so on. The cause is "word[packet] - 2" that forces the continuous parsing of the same data. Instead the following bugs affect only the UDP protocol used in snabase.exe listening on the port 1478. When this service terminates also the others depending by it like snalink and msngagent will terminate. B] -- 0101FAC7 |> 0FB785 E0FEFF>|MOVZX EAX,WORD PTR SS:[EBP-120] 0101FACE |. 6BC0 37 |IMUL EAX,EAX,37 0101FAD1 |. 8B8D DCFEFFFF |MOV ECX,DWORD PTR SS:[EBP-124] 0101FAD7 |. 8D1C08 |LEA EBX,DWORD PTR DS:[EAX+ECX] 0101FADA |. 8D73 0E |LEA ESI,DWORD PTR DS:[EBX+E] 0101FADD |. 89B5 D8FEFFFF |MOV DWORD PTR SS:[EBP-128],ESI 0101FAE3 |. 6A 0F |PUSH 0F 0101FAE5 |. 59 |POP ECX 0101FAE6 |. 8B3D FC690301 |MOV EDI,DWORD PTR DS:[10369FC] 0101FAEC |. 83C7 14 |ADD EDI,14 0101FAEF |. 33C0 |XOR EAX,EAX 0101FAF1 |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS> ; unallocated memory the crash is caused by the tentative of accessing the unallocated memory located after the packet of max 0x1ee bytes. C] -- an UDP packet longer than 0x1ee bytes blocks the receiving of any other UDP packet. D] -- endless loop and crash: 0101AF0D /$ 8BFF MOV EDI,EDI 0101AF0F |. 55 PUSH EBP 0101AF10 |. 8BEC MOV EBP,ESP 0101AF12 |. 33D2 XOR EDX,EDX 0101AF14 |. 3955 0C CMP DWORD PTR SS:[EBP+C],EDX 0101AF17 |. 74 1E JE SHORT 0101AF37 0101AF19 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0101AF1C |. 56 PUSH ESI 0101AF1D |> 0FB748 02 /MOVZX ECX,WORD PTR DS:[EAX+2] ; unallocated memory 0101AF21 |. 8B70 04 |MOV ESI,DWORD PTR DS:[EAX+4] 0101AF24 |. 03D1 |ADD EDX,ECX 0101AF26 |. 0FB7C9 |MOVZX ECX,CX 0101AF29 |. F7D6 |NOT ESI 0101AF2B |. 2175 0C |AND DWORD PTR SS:[EBP+C],ESI 0101AF2E |. 03C1 |ADD EAX,ECX 0101AF30 |. 837D 0C 00 |CMP DWORD PTR SS:[EBP+C],0 0101AF34 |.^ 75 E7 \JNZ SHORT 0101AF1D ; controlled cycle 0101AF36 |. 5E POP ESI 0101AF37 |> 0FB7C2 MOVZX EAX,DX 0101AF3A |. 5D POP EBP 0101AF3B \. C2 0800 RETN 8 E] -- 67489374 |. 83C4 0C ADD ESP,0C 67489377 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 6748937A |. 83C0 2C ADD EAX,2C 6748937D |. 50 PUSH EAX 6748937E |. 68 05010000 PUSH 105 67489383 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 67489386 |. 05 29010000 ADD EAX,129 6748938B |. 50 PUSH EAX 6748938C |. FF15 88124467 CALL DWORD PTR DS:[<&MSVCR80.strcat_s>] ; MSVCR80.strcat_s exception if the string is too big. F] -- forced termination: "Error: Primary Host Integration Server computer already running in ???" G] -- 6748A73F . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 6748A742 . 83C0 03 ADD EAX,3 6748A745 . 50 PUSH EAX 6748A746 . 6A 10 PUSH 10 6748A748 . 68 F0F04F67 PUSH 674FF0F0 6748A74D . FF15 38134467 CALL DWORD PTR DS:[<&MSVCR80.strcpy_s>] if the string is longer than 0x10 bytes then the server will raise an exception and terminates. H] -- 606CC91A 68 1C010000 PUSH 11C 606CC91F 6A 40 PUSH 40 ; allocate 0x40 bytes 606CC921 FF15 30106C60 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc> ; kernel32.LocalAlloc 606CC927 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX 606CC92A 837D E4 00 CMP DWORD PTR SS:[EBP-1C],0 606CC92E 0F84 D8000000 JE 606CCA0C 606CC934 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; our string 606CC937 6A 10 PUSH 10 ; max size 606CC939 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 606CC93C 83C0 0C ADD EAX,0C 606CC93F 50 PUSH EAX ; destination 606CC940 FF15 5C116C60 CALL DWORD PTR DS:[<&MSVCR80.strcpy_s>] ; MSVCR80.strcpy_s if the string is longer than 0x10 bytes then the server will raise an exception and terminates. I] -- The opcode 0x02 allows to use an arbitrary MessageId argument in FormatMessage causing the crash through the values 0x11 and 0x26: _snwprintf(buffer, buffer_size, "%hs", (char *)9); J] -- memcmp crash caused by the accessing of unallocated memory after the packet. K (maybe)] ---------- snabase allows to start an existent service and even passing parameters to it through a packet with opcode 0x04. normally this is not an issue because the server runs with an unprivileged user (if you assign Administrator as "Service credential" the configurator of the installer will ask for confirmation) and as far as I know the HIS services don't use arguments. anyway in some particular conditions or if have been used the Administrator credentials this feature may be "interesting". ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/snabase_1.zip http://www.exploit-db.com/sploits/17159.zip A] nc SERVER PORT < snabase_1a.dat others] nc SERVER 1478 -u < snabase_1?.dat Note that the pre-built packet files use the fixed destination name VBOX so change the string in the packets accordingly with the real target machine or domain name. Note that snabase_1k.dat must be customized to work: service name, optional arguments and remember to change at least one char of the string at offset 3 each time or the packet will be ignored if it contains the same string of the previous one. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################