ExploitFixes
Microsoft Host Integration Server <= 8.5.4224.0 DoS Vulnerabilities 2011-04-12 17:15:12

Source: http://aluigi.org/adv/snabase_1-adv.txt

#######################################################################

Luigi Auriemma

Application: Microsoft Host Integration Server
http://www.microsoft.com/biztalk/en/us/host-integration.aspx?pf=true
Versions: <= 8.5.4224.0
Platforms: Windows
Bugs: various Denial of Service vulnerabilities
Exploitation: remote, versus server
Date: 11 Apr 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Microsoft Host Integration Server technologies and tools enable
enterprise organizations to integrate existing IBM host systems,
programs, messages and data with new Microsoft server applications."


#######################################################################

=======
2) Bugs
=======


The following are only Denial of Service vulnerabilities and there are
for sure some others but sincerely who cares?
Just for quick reference...


A]
--
Endless loop affecting all the services that use the TCP protocol so
snabase.exe on port 1478, all the snalink.exe on their dynamic ports,
snaservr.exe, mngagent.exe and so on.
The cause is "word[packet] - 2" that forces the continuous parsing of
the same data.


Instead the following bugs affect only the UDP protocol used in
snabase.exe listening on the port 1478.
When this service terminates also the others depending by it like
snalink and msngagent will terminate.

B]
--
0101FAC7 |> 0FB785 E0FEFF>|MOVZX EAX,WORD PTR SS:[EBP-120]
0101FACE |. 6BC0 37 |IMUL EAX,EAX,37
0101FAD1 |. 8B8D DCFEFFFF |MOV ECX,DWORD PTR SS:[EBP-124]
0101FAD7 |. 8D1C08 |LEA EBX,DWORD PTR DS:[EAX+ECX]
0101FADA |. 8D73 0E |LEA ESI,DWORD PTR DS:[EBX+E]
0101FADD |. 89B5 D8FEFFFF |MOV DWORD PTR SS:[EBP-128],ESI
0101FAE3 |. 6A 0F |PUSH 0F
0101FAE5 |. 59 |POP ECX
0101FAE6 |. 8B3D FC690301 |MOV EDI,DWORD PTR DS:[10369FC]
0101FAEC |. 83C7 14 |ADD EDI,14
0101FAEF |. 33C0 |XOR EAX,EAX
0101FAF1 |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS> ; unallocated memory

the crash is caused by the tentative of accessing the unallocated
memory located after the packet of max 0x1ee bytes.


C]
--
an UDP packet longer than 0x1ee bytes blocks the receiving of any
other UDP packet.


D]
--
endless loop and crash:
0101AF0D /$ 8BFF MOV EDI,EDI
0101AF0F |. 55 PUSH EBP
0101AF10 |. 8BEC MOV EBP,ESP
0101AF12 |. 33D2 XOR EDX,EDX
0101AF14 |. 3955 0C CMP DWORD PTR SS:[EBP+C],EDX
0101AF17 |. 74 1E JE SHORT 0101AF37
0101AF19 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0101AF1C |. 56 PUSH ESI
0101AF1D |> 0FB748 02 /MOVZX ECX,WORD PTR DS:[EAX+2] ; unallocated memory
0101AF21 |. 8B70 04 |MOV ESI,DWORD PTR DS:[EAX+4]
0101AF24 |. 03D1 |ADD EDX,ECX
0101AF26 |. 0FB7C9 |MOVZX ECX,CX
0101AF29 |. F7D6 |NOT ESI
0101AF2B |. 2175 0C |AND DWORD PTR SS:[EBP+C],ESI
0101AF2E |. 03C1 |ADD EAX,ECX
0101AF30 |. 837D 0C 00 |CMP DWORD PTR SS:[EBP+C],0
0101AF34 |.^ 75 E7 \JNZ SHORT 0101AF1D ; controlled cycle
0101AF36 |. 5E POP ESI
0101AF37 |> 0FB7C2 MOVZX EAX,DX
0101AF3A |. 5D POP EBP
0101AF3B \. C2 0800 RETN 8


E]
--
67489374 |. 83C4 0C ADD ESP,0C
67489377 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
6748937A |. 83C0 2C ADD EAX,2C
6748937D |. 50 PUSH EAX
6748937E |. 68 05010000 PUSH 105
67489383 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
67489386 |. 05 29010000 ADD EAX,129
6748938B |. 50 PUSH EAX
6748938C |. FF15 88124467 CALL DWORD PTR DS:[<&MSVCR80.strcat_s>] ; MSVCR80.strcat_s

exception if the string is too big.


F]
--
forced termination:
"Error: Primary Host Integration Server computer already running in ???"


G]
--
6748A73F . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
6748A742 . 83C0 03 ADD EAX,3
6748A745 . 50 PUSH EAX
6748A746 . 6A 10 PUSH 10
6748A748 . 68 F0F04F67 PUSH 674FF0F0
6748A74D . FF15 38134467 CALL DWORD PTR DS:[<&MSVCR80.strcpy_s>]

if the string is longer than 0x10 bytes then the server will raise an
exception and terminates.


H]
--
606CC91A 68 1C010000 PUSH 11C
606CC91F 6A 40 PUSH 40 ; allocate 0x40 bytes
606CC921 FF15 30106C60 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc> ; kernel32.LocalAlloc
606CC927 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
606CC92A 837D E4 00 CMP DWORD PTR SS:[EBP-1C],0
606CC92E 0F84 D8000000 JE 606CCA0C
606CC934 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; our string
606CC937 6A 10 PUSH 10 ; max size
606CC939 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
606CC93C 83C0 0C ADD EAX,0C
606CC93F 50 PUSH EAX ; destination
606CC940 FF15 5C116C60 CALL DWORD PTR DS:[<&MSVCR80.strcpy_s>] ; MSVCR80.strcpy_s

if the string is longer than 0x10 bytes then the server will raise an
exception and terminates.


I]
--
The opcode 0x02 allows to use an arbitrary MessageId argument in
FormatMessage causing the crash through the values 0x11 and 0x26:
_snwprintf(buffer, buffer_size, "%hs", (char *)9);


J]
--
memcmp crash caused by the accessing of unallocated memory after the
packet.


K (maybe)]
----------
snabase allows to start an existent service and even passing
parameters to it through a packet with opcode 0x04.
normally this is not an issue because the server runs with an
unprivileged user (if you assign Administrator as "Service
credential" the configurator of the installer will ask for
confirmation) and as far as I know the HIS services don't use
arguments.
anyway in some particular conditions or if have been used the
Administrator credentials this feature may be "interesting".


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/snabase_1.zip
http://www.exploit-db.com/sploits/17159.zip

A]
nc SERVER PORT < snabase_1a.dat

others]
nc SERVER 1478 -u < snabase_1?.dat

Note that the pre-built packet files use the fixed destination name
VBOX so change the string in the packets accordingly with the real
target machine or domain name.
Note that snabase_1k.dat must be customized to work: service name,
optional arguments and remember to change at least one char of the
string at offset 3 each time or the packet will be ignored if it
contains the same string of the previous one.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################