Microsoft Host Integration Server 8.5.4224.0 – Denial of Service

• Exploit Database
• 18 阅读

• 作者： Luigi Auriemma
  日期： 2011-04-12
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17159/

• Source: http://aluigi.org/adv/snabase_1-adv.txt
  
  #######################################################################
  
   Luigi Auriemma
  
  Application:Microsoft Host Integration Server
  http://www.microsoft.com/biztalk/en/us/host-integration.aspx?pf=true
  Versions: <= 8.5.4224.0
  Platforms:Windows
  Bugs: various Denial of Service vulnerabilities
  Exploitation: remote, versus server
  Date: 11 Apr 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  From vendor's website:
  "Microsoft Host Integration Server technologies and tools enable
  enterprise organizations to integrate existing IBM host systems,
  programs, messages and data with new Microsoft server applications."
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  
  The following are only Denial of Service vulnerabilities and there are
  for sure some others but sincerely who cares?
  Just for quick reference...
  
  
  A]
  --
  Endless loop affecting all the services that use the TCP protocol so
  snabase.exe on port 1478, all the snalink.exe on their dynamic ports,
  snaservr.exe, mngagent.exe and so on.
  The cause is "word[packet] - 2" that forces the continuous parsing of
  the same data.
  
  
  Instead the following bugs affect only the UDP protocol used in
  snabase.exe listening on the port 1478.
  When this service terminates also the others depending by it like
  snalink and msngagent will terminate.
  
  B]
  --
  0101FAC7|>0FB785 E0FEFF>|MOVZX EAX,WORD PTR SS:[EBP-120]
  0101FACE|.6BC0 37 |IMUL EAX,EAX,37
  0101FAD1|.8B8D DCFEFFFF |MOV ECX,DWORD PTR SS:[EBP-124]
  0101FAD7|.8D1C08|LEA EBX,DWORD PTR DS:[EAX+ECX]
  0101FADA|.8D73 0E |LEA ESI,DWORD PTR DS:[EBX+E]
  0101FADD|.89B5 D8FEFFFF |MOV DWORD PTR SS:[EBP-128],ESI
  0101FAE3|.6A 0F |PUSH 0F
  0101FAE5|.59|POP ECX
  0101FAE6|.8B3D FC690301 |MOV EDI,DWORD PTR DS:[10369FC]
  0101FAEC|.83C7 14 |ADD EDI,14
  0101FAEF|.33C0|XOR EAX,EAX
  0101FAF1|.F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS> ; unallocated memory
  
  the crash is caused by the tentative of accessing the unallocated
  memory located after the packet of max 0x1ee bytes.
  
  
  C]
  --
  an UDP packet longer than 0x1ee bytes blocks the receiving of any
  other UDP packet.
  
  
  D]
  --
  endless loop and crash:
  0101AF0D/$8BFFMOV EDI,EDI
  0101AF0F|.55PUSH EBP
  0101AF10|.8BECMOV EBP,ESP
  0101AF12|.33D2XOR EDX,EDX
  0101AF14|.3955 0C CMP DWORD PTR SS:[EBP+C],EDX
  0101AF17|.74 1E JE SHORT 0101AF37
  0101AF19|.8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
  0101AF1C|.56PUSH ESI
  0101AF1D|>0FB748 02 /MOVZX ECX,WORD PTR DS:[EAX+2]; unallocated memory
  0101AF21|.8B70 04 |MOV ESI,DWORD PTR DS:[EAX+4]
  0101AF24|.03D1|ADD EDX,ECX
  0101AF26|.0FB7C9|MOVZX ECX,CX
  0101AF29|.F7D6|NOT ESI
  0101AF2B|.2175 0C |AND DWORD PTR SS:[EBP+C],ESI
  0101AF2E|.03C1|ADD EAX,ECX
  0101AF30|.837D 0C 00|CMP DWORD PTR SS:[EBP+C],0
  0101AF34|.^ 75 E7 \JNZ SHORT 0101AF1D ; controlled cycle
  0101AF36|.5EPOP ESI
  0101AF37|>0FB7C2MOVZX EAX,DX
  0101AF3A|.5DPOP EBP
  0101AF3B\.C2 0800 RETN 8
  
  
  E]
  --
  67489374|.83C4 0C ADD ESP,0C
  67489377|.8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
  6748937A|.83C0 2C ADD EAX,2C
  6748937D|.50PUSH EAX
  6748937E|.68 05010000 PUSH 105
  67489383|.8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
  67489386|.05 29010000 ADD EAX,129
  6748938B|.50PUSH EAX
  6748938C|.FF15 88124467 CALL DWORD PTR DS:[<&MSVCR80.strcat_s>];MSVCR80.strcat_s
  
  exception if the string is too big.
  
  
  F]
  --
  forced termination:
  "Error: Primary Host Integration Server computer already running in ???"
  
  
  G]
  --
  6748A73F .8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
  6748A742 .83C0 03 ADD EAX,3
  6748A745 .50PUSH EAX
  6748A746 .6A 10 PUSH 10
  6748A748 .68 F0F04F67 PUSH 674FF0F0
  6748A74D .FF15 38134467 CALL DWORD PTR DS:[<&MSVCR80.strcpy_s>]
  
  if the string is longer than 0x10 bytes then the server will raise an
  exception and terminates.
  
  
  H]
  --
  606CC91A68 1C010000 PUSH 11C
  606CC91F6A 40 PUSH 40 ; allocate 0x40 bytes
  606CC921FF15 30106C60 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc> ; kernel32.LocalAlloc
  606CC9278945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
  606CC92A837D E4 00CMP DWORD PTR SS:[EBP-1C],0
  606CC92E0F84 D8000000 JE 606CCA0C
  606CC934FF75 08 PUSH DWORD PTR SS:[EBP+8] ; our string
  606CC9376A 10 PUSH 10 ; max size
  606CC9398B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
  606CC93C83C0 0C ADD EAX,0C
  606CC93F50PUSH EAX; destination
  606CC940FF15 5C116C60 CALL DWORD PTR DS:[<&MSVCR80.strcpy_s>] ; MSVCR80.strcpy_s
  
  if the string is longer than 0x10 bytes then the server will raise an
  exception and terminates.
  
  
  I]
  --
  The opcode 0x02 allows to use an arbitrary MessageId argument in
  FormatMessage causing the crash through the values 0x11 and 0x26:
  _snwprintf(buffer, buffer_size, "%hs", (char *)9);
  
  
  J]
  --
  memcmp crash caused by the accessing of unallocated memory after the
  packet.
  
  
  K (maybe)]
  ----------
  snabase allows to start an existent service and even passing
  parameters to it through a packet with opcode 0x04.
  normally this is not an issue because the server runs with an
  unprivileged user (if you assign Administrator as "Service
  credential" the configurator of the installer will ask for
  confirmation) and as far as I know the HIS services don't use
  arguments.
  anyway in some particular conditions or if have been used the
  Administrator credentials this feature may be "interesting".
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/poc/snabase_1.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36211.zip
  
  A]
  nc SERVER PORT< snabase_1a.dat
  
  others]
  nc SERVER 1478 -u < snabase_1?.dat
  
  Note that the pre-built packet files use the fixed destination name
  VBOX so change the string in the packets accordingly with the real
  target machine or domain name.
  Note that snabase_1k.dat must be customized to work: service name,
  optional arguments and remember to change at least one char of the
  string at offset 3 each time or the packet will be ignored if it
  contains the same string of the previous one.
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################