Created: 2003-11-17 Updated: 2003-11-18
Article properties: reprint
Article submission:
L0PHT (anonymous_at_21cn.com)
Analysis of remote overflow of Windows Workstation Service
By snake. Snake@cnns.net
Company Page:
http://www.cnns.net
Refreshment: World Famous Safety Organization Eeye Digital Security, on November 11
http://www.eeye.com Site Home Purchase their discovery of buffer overflow defects in Windows WorkStation services. This defect involves most Windows operating systems with a normal operation of the basic service, which can be remotely utilized, the associated TCP ports are 139 and 445. The announcement of this defect is an impact on the Windows operating system security system that is in the autumn of Many. However, as the "attack is the best means of inspection network security", the serious defects of each operating system and their attacks use code, and the worms that have occurred will force manufacturers to accelerate the launch of security solutions. The security will also be improved. This attack and defensive cycle will accompany the life cycle of any mainstream operating system.
This paper is a gradual analysis of the attack and use technology of this defect in the CNNS R & D department for the introduction of professional reference. Time rush, there is any mistakes and shortcomings, welcome to letter communication: snake@cnns.net
///
Eeye announced on November 11th there is a vulnerability in Windows Workstation, which is another basic service of Microsoft, and there is a serious attack defect.
This article will gradually analyze how to use this vulnerability.
According to some disclosed information of Eeye, the vulnerability is a VSPrintf called WKSSVC.DLL. Inference should be the length of the input buffer should be checked. Use the function NetValidateName to attack directly.
The following environment is:
Client: win2k, and server establish IPC $ Connection, then use NetValidateName to interact, trigger overflow. The specific SAMPLE code is not posted, and PacketStorms and other sites have been announced. . .
Service: Attack (Simplified Chinese Win2k SP3)
Open Windbg, track the related functions, starting to be rpcrt4.dll NDRSerVall2 call, this short time has no way to look at it and digest, ignore it, continue to follow. . .
Then some calls. Including NDRSERVERINITIALIZENEW, NDRPointerunmarshell, and NDRCONMARMANTSTRINGUNMARSHALL calls, these can also be ignored, continue to track, huh, huh, machine actually has restarted N times, there is no relationship, virtual machine. :)
The following is an analysis of the error function. Some of the initialization movements are ignored, in short, the error is in this, and the use is also used when this function returns. .
.text: 76724cd7; int __stdcall sub_76724cd7 (Handle Hfile, Int, Int)
.TEXT: 76724CD7 SUB_76724CD7 Proc Near; Code Xref: SUB_76724DB5 20P
.TEXT: 76724CD7
.text: 76724cd7 var_81a = byte PTR -81AH.TEXT: 76724CD7 var_819 = byte PTR -819H
.text: 76724cd7 buffer = byte PTR-818H
.TEXT: 76724CD7 var_817 = byte PTR-817H
.TEXT: 76724CD7 NumberofByteswritten = DWORD PTR-14H
.text: 76724cd7 systemtime = _systemtime PTR-10H
.TEXT: 76724CD7 HFILE = DWORD PTR 8
.TEXT: 76724CD7 ARG_4 = DWORD PTR 0CH
.TEXT: 76724CD7 arg_8 = DWORD PTR 10H
.TEXT: 76724CD7
.TEXT: 76724CD7 PUSH EBP
.TEXT: 76724CD8 MOV EBP, ESP
.text: 76724cda sub ev, 818h; // !! This only assigned 0x818 = 2072 bytes of space to all variables
.TEXT: 76724CE0 CMP [EBP HFILE], 0; // Judging whether the file handle is invalid
.TEXT: 76724CE4 JZ Locret_76724db1; // If yes, return
.Text: 76724cea Push Edi
.Text: 76724ceb Mov Edi, Offset UNK_76727C60
.TEXT: 76724CF0 PUSH ESI
.TEXT: 76724CF1 PUSH EDI; LPCRITICALSECTION
.TEXT: 76724CF2 Call DS: EntercriticalSection; // Enter Critical Space
.TEXT: 76724CF8 XOR ESI, ESI
.TEXT: 76724CFA CMP DWORD_76727A3C, ESI; Judging whether to print time information
.TEXT: 76724D00 JZ Short Loc_76724D3C
.TEXT: 76724D02 Lea Eax, [EBP SystemTime]; The output of the time information string is performed.
.text: 76724d05 push eax; lpsystemtime
.text: 76724d06 Call DS: getLocalTime
.Text: 76724d0c Movzx Eax, [EBP SystemTime.wSecond]
.TEXT: 76724D10 Push EAX
.Text: 76724d11 Movzx Eax, [EBP SystemTime.wminute]
.Text: 76724d15 Push Eax.Text: 76724d16 Movzx Eax, [EBP SystemTime.Whour]
.Text: 76724d1a Push EAX
.Text: 76724d1b Movzx Eax, [EBP SystemTime.wday]
.Text: 76724d1f Push EAX
.Text: 76724d20 Movzx Eax, [EBP SystemTime.wmonth]
.Text: 76724d24 Push EAX
.Text: 76724D25 Lea Eax, [EBP BUFFER]
.TEXT: 76724D2B PUSH OFFSET A02U02U02U02U02; "% 02U /% 02U% 02U:% 02U:% 02U"
.Text: 76724d30 Push EAX
.Text: 76724d31 Call DS: sprintf; // at first, format the time string ...
.TEXT: 76724D37 Add ESP, 1CH
.Text: 76724D3A MOV ESI, EAX
.TEXT: 76724D3C
.TEXT: 76724D3C LOC_76724D3C:; code Xref: SUB_76724CD7 29J
.TEXT: 76724D3C PUSH [EBP ARG_8]
.TEXT: 76724D3F Lea Eax, [EBP ESI Buffer]; get the output buffer address, here is ESI-0x818
.Text: 76724d3f; where ESI is the adjusted output pointer. If you print time information,
.Text: 76724d3f; = length of the time string. Otherwise, = 0.
.Text: 76724d46 Push [EBP Arg_4]; The format here is:
.Text: 76724d46; NetPvalidateName: Checking to see if '% ws' is valid as type% d name.
.TEXT: 76724D46;
.Text: 76724d46; *** Note that is the parameters of% WS and% D.
.TEXT: 76724D46;% WS. . . . More troublesome conversion. Oh, there is still a way.
.Text: 76724d46; .text: 76724d49 Push EAX
.Text: 76724d4a Call DS: vsprintf; overflowing here
.TEXT: 76724D50 Add ESP, 0CH
.Text: 76724d53 Add ESI, EAX; Here it is determined if ESI EAX = 0. If there is no output, make a tag = 0
.TEXT: 76724D55 JZ Short Loc_76724D6D
.TEXT: 76724D57 CMP [EBP ESI VAR_819], 0AH; ... I don't understand why it is necessary to judge. If you don't have a carriage return, make a tag. . ()
.TEXT: 76724D57;
.TEXT: 76724D5F JNZ Short Loc_76724D6D
.TEXT: 76724D61 MOV DWORD_76727A3C, 1
.TEXT: 76724D6B JMP Short Loc_76724d78; Add a carriage return to the beginning of the output buffer, very fun,
.TEXT: 76724D6B;
.TEXT: 76724D6D ;. Where is Xomotice? Where is Xomomo? Where is Xomiyomo? Where is Xomiyo?
.TEXT: 76724D6D
.text: 76724d6d Loc_76724d6d:; code Xref: SUB_76724CD7 7EJ
.TEXT: 76724D6D; SUB_76724CD7 88J
.Text: 76724d6d xor Eax, EAX
.Text: 76724D6F Test Eax, EAX
.TEXT: 76724D71 MOV DWORD_76727A3C, EAX
.TEXT: 76724D76 JZ Short Loc_76724D91
.text: 76724d78
.Text: 76724d78 Loc_76724d78:; code xref: SUB_76724CD7 94J
.TEXT: 76724D78 MOV [EBP ESI VAR_819], 0DH; Add a carriage return to the beginning of the output buffer, very fun,
.TEXT: 76724D78;
.TEXT: 76724D80 MOV [EBP ESI Buffer], 0AH
.TEXT: 76724D88 and [EBP ESI VAR_817], 0
.TEXT: 76724D90 Inc ESI
.Text: 76724d91.text: 76724d91 Loc_76724d91:; code Xref: SUB_76724CD7 9FJ
.Text: 76724d91 Lea Eax, [EBP NumberofByteswritten]
.text: 76724d94 push 0; lpoverlapped
.TEXT: 76724D94; Action of writing files here.
.Text: 76724d94; Note, 4th parameters of Writefile
.text: 76724d94; lpnumberofbyteswritten is
.Text: 76724d94; EBP-14 location, Buffer will be rewritten, so,
.text: 76724d94; if there is shellcode to put it there, be careful
.Text: 76724d94; This location is data. .
.Text: 76724d96 Push Eax; lpnumberofbyteswritten
.text: 76724d97 Lea Eax, [EBP BUFFER]
.Text: 76724d9d Push ESI; NNUMBEROFBYTESTOWRITE
.text: 76724d9e push eax; lpbuffer
.TEXT: 76724D9F Push [EBP HFILE]; HFILE
.Text: 76724Da2 Call DS: Writefile
.Text: 76724DA8 Push EDI; LPCriticalSection
.Text: 76724da9 Call DS: LeavecriticalSection; here LeavecriticalSection. Fortunately, the parameter EDI is not changed.
.Text: 76724da9; otherwise, there are many troublesome when attacking.
.TEXT: 76724DAF POP ESI
.TEXT: 76724DB0 POP EDI
.TEXT: 76724DB1
.TEXT: 76724DB1 Locret_76724db1:; code xref: SUB_76724CD7 DJ
.Text: 76724db1 Leave
.Text: 76724db2 Retn 0ch; OK, the function returns, hey, it will execute our shellcode. .TEXT: 76724DB2 SUB_76724CD7 ENDP
.TEXT: 76724DB2
.TEXT: 76724DB5
As analyzed above, the program is formatted in the VSPrintf, the parameter% WS is formatted, and the second parameter of NetValidateName is used as input. After formatting, output data into the stack. When the content is too long, a stack overflow occurs.
It is now analyzed to attack the possibility of attack.
1. This function begins to check the legality of the file handle, if there is no way to open% windir% / debug / netsetup.log, this function has no way to execute. So, when the server is triggered, the connection account will not be permissible, if there is no permission to open the file, the following attack cannot be performed. Unless, the server rights are set incorrect, or if the FAT32 file format, there is no way to permissions.嘿嘿. . .
2. When the length of the input is not long, the stack overflow will occur, as long as the overflow point (probably 0x818-12), fill in the contents of JMP ESP, then start, write shellcode, You can run the code.
3. When the length of the input is long, it will trigger Windows structured exception protection. If the data is large enough, the abnormal structure is covered, or the jump can be realized, but it is more dangerous at this time. Since the second overflow, because the function starts, when the critical area is entered, the critical variable is not released in this case.
4. NetValidateName 2nd parameter buffer, input, is Unicode, when being vsprintf, is% WS, will be converted back to the ANSI string. The VSPrintf called here is the same name function of MSVCRT.DLL, not a function in the Libc standard library. This vSprintf is not 100% when converting, tracking it, discovery is to call the WCTOMB function. In the end, even if it can be converted, the last output may be 0. The standard visible string can be converted, but the multi-byte language data is not so good. That is, the executed code can only be limited to visible characters, others to see how to be constructed. More details require detailed research. (Conclusion is: multilingual generic attack code, to achieve, there is a relatively long way to go ...)
5. Input buffer, 0x818-12-0X14-Strlen ("NetpValidateName: Checking to See IF '") The data of the location will be rewritten by the parameter of Writefile, so you should pay attention to shellcode is destroyed.
6. This attack If you use ExitThread after you execute in Shellcode, you should be overflowed without limiting. . .
In short, there have been many things have been analyzed, and the specific general attack procedure is just a problem. It seems that there is no more technical difficulties and techniques, there is nothing to say. I hope that the heroes who have already realized cautiously publish attack tools and code. This article is only analyzed from the technical perspective. This "garbage code" is actually relatively easy to protect, as long as the vsprintf is converted into vSnprintf to avoid similar problems! . EEYE has an attack method, which is the attack of NetaddalternateComputername. It is valid for NTFS format. I didn't see it, I can do this in XP, there is no such function in 2k, I don't know if XP can attack 2K. . . I have time to get it.
*** Postscript ***
I really don't know how to evaluate this vulnerability, Microsoft software, this Server and Workstation service provide very powerful service features, but there is such serious vulnerabilities. . . . Horror, you should be careful when you write the program, especially the widely used procedures.
Snake. 2003/11/17 Morning
