D
Dinis Cruz
Asp.Net.Vulnerability: Win32 API calls (potential security problems)
Since win32 calls are supported in Asp.Net and cannot be disabled when
the website is running with 'Full trust', it is imperative to identify
all potentially dangerous Win32 DLLs. Here is a short list of the ones
we have identified whose risk needs to validated and (if required)
write test scripts for:
- New: CopyMemory, GetCurrentProcess, GetCurrentThread,
GetTokenInformation, GetWindowsInformation, isNTAdmin,
OpenProcessToken, OpenTheadToken, SendMessage
- Compress: CopyLZFile, LZCopy
- Crypto: CryptGetUserKey, CryptDestroyKey
- Drives: GetLogicalDrives, GetVolumeInformation
- EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
- Error: RaiseExeption, ReportFault, SetLastError
- EventLog: OpenEventLog, ClearEventLog, ReportEvent
- Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
LockWorkstation
- Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
FindNextFile
- Heap: GetProcessHeap, HeapAlloc, HeapFree
- Hook: CallNextHookEx, SetWindowsHookEx
- ICMP: IcmpCreateFile, IcmpSendEcho
- INI-Files: GetPrivateProfileSection , GetPrivateProfileString
- Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
InternetOpen, InternetOpenURL, InternetaReadFile,
IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
- {List Not completed}
Since we are not Win32 API experts (although we did manage to write a
test script for the Kernel32 'WinExec' - see bellow) we would like ask
for help to the more serious win32 developers which will be able to
provide us with much more detailed and accurate information regarding
the 'security risk' posed by each API call.
The following is the code that we use in ANSA to test if a server is
vulnerable.
'****************************************************************
' ANSA:W32_execute_cmd - This test checks if it is possible to execute
' commands on the server using a direct Win32 API call to the
' kernel32 'winExec'function . For this test to work a copy of
'cmd.exe' must
' be copied to the same directory containing this script
'****************************************************************
<script runat=server>
Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
lpCmdLine As String, ByVal nCmdShow As Long) As Long
Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
bFailIfExists As Long) As Long
public Function Run_test(mode)
try
Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
Target_copy_of_cmd
Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
temp_name
Dim FailIfExists
Dim Cmd_to_execute = "dir"
local_dir = left(request.servervariables("PATH_TRANSLATED"), _
inStrRev(request.servervariables("PATH_TRANSLATED"),"\"))
local_copy_of_cmd = Local_dir+"cmd.exe"
Target_copy_of_cmd =
Environment.GetEnvironmentVariable("Temp")+"\_test.exe"
' Copy CMD.EXE to temp directory
CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)
' Execute Command and save results in temp file
errReturn = WinExec(Target_copy_of_cmd + " /c " +
cmd_to_execute, 10)
Run_test = OK + Critical +" The server allows the remote
execution of commands using a direct call to WinExec API!"
catch
Run_test = OK + low + "It was not possible to execute commands
using cmd.exe"
end try
end function
</script>
'****************************************************************
Thanks for the help
Best regards
Since win32 calls are supported in Asp.Net and cannot be disabled when
the website is running with 'Full trust', it is imperative to identify
all potentially dangerous Win32 DLLs. Here is a short list of the ones
we have identified whose risk needs to validated and (if required)
write test scripts for:
- New: CopyMemory, GetCurrentProcess, GetCurrentThread,
GetTokenInformation, GetWindowsInformation, isNTAdmin,
OpenProcessToken, OpenTheadToken, SendMessage
- Compress: CopyLZFile, LZCopy
- Crypto: CryptGetUserKey, CryptDestroyKey
- Drives: GetLogicalDrives, GetVolumeInformation
- EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
- Error: RaiseExeption, ReportFault, SetLastError
- EventLog: OpenEventLog, ClearEventLog, ReportEvent
- Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
LockWorkstation
- Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
FindNextFile
- Heap: GetProcessHeap, HeapAlloc, HeapFree
- Hook: CallNextHookEx, SetWindowsHookEx
- ICMP: IcmpCreateFile, IcmpSendEcho
- INI-Files: GetPrivateProfileSection , GetPrivateProfileString
- Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
InternetOpen, InternetOpenURL, InternetaReadFile,
IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
- {List Not completed}
Since we are not Win32 API experts (although we did manage to write a
test script for the Kernel32 'WinExec' - see bellow) we would like ask
for help to the more serious win32 developers which will be able to
provide us with much more detailed and accurate information regarding
the 'security risk' posed by each API call.
The following is the code that we use in ANSA to test if a server is
vulnerable.
'****************************************************************
' ANSA:W32_execute_cmd - This test checks if it is possible to execute
' commands on the server using a direct Win32 API call to the
' kernel32 'winExec'function . For this test to work a copy of
'cmd.exe' must
' be copied to the same directory containing this script
'****************************************************************
<script runat=server>
Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
lpCmdLine As String, ByVal nCmdShow As Long) As Long
Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
bFailIfExists As Long) As Long
public Function Run_test(mode)
try
Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
Target_copy_of_cmd
Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
temp_name
Dim FailIfExists
Dim Cmd_to_execute = "dir"
local_dir = left(request.servervariables("PATH_TRANSLATED"), _
inStrRev(request.servervariables("PATH_TRANSLATED"),"\"))
local_copy_of_cmd = Local_dir+"cmd.exe"
Target_copy_of_cmd =
Environment.GetEnvironmentVariable("Temp")+"\_test.exe"
' Copy CMD.EXE to temp directory
CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)
' Execute Command and save results in temp file
errReturn = WinExec(Target_copy_of_cmd + " /c " +
cmd_to_execute, 10)
Run_test = OK + Critical +" The server allows the remote
execution of commands using a direct call to WinExec API!"
catch
Run_test = OK + low + "It was not possible to execute commands
using cmd.exe"
end try
end function
</script>
'****************************************************************
Thanks for the help
Best regards