by Tan Chew Keong
Release Date: 2006-10-24
Back to Original Advisory [en] [jp]
The vulnerability exists in CruiseWorks "cws.exe" which is executed by IIS or other webserver as an external CGI process when a HTTP request is received. By supplying an overly long string to the "doc" parameter, cws.exe will crash.
However, it is trickly to observe the buffer overflow since cws.exe will crash silently without activating the "Just In Time Debugger", and there is no time to manually attach Ollydbg to the cws.exe process before it crashes. In the following sections, I describe a way of observing the buffer overflow using Ollydbg.
Please note that this is not an Ollydbg tutorial and it is assumed that the reader is already familiar with Ollydbg.
The following description assumes the following:
- CruiseWorks is properly installed on WinXP SP2 with IIS 5.1.
- CruiseWorks is installed in the default directories. i.e. "\inetpub\wwwroot" and "\inetpub\scripts\cruise".
- You can properly logon to CruiseWorks.
The objective is to attach Ollydbg to the "cws.exe" process that is spawn by IIS, before it crashes sliently due to the buffer overflow.
IIS (inetinfo.exe) uses the CreateProcessAsUser() API to run "cws.exe" when a HTTP request to "cws.exe" is received. By setting a breakpoint on the instruction in inetinfo.exe that comes after the call to CreateProcessAsUser(), it is then possible to attach another instance of Ollydbg to the "cws.exe" process before IIS sends the malicious request to the "cws.exe" process.
The following sequence of instructions illustrate this.
The malicious request that contains an overly long string for the "doc" parameter will be sent as a POST request to "cws.exe" instead of the GET request. This makes it easier to attach to the "cws.exe" process later on. Please note that the vulnerability is also exploitable via a GET request.
The text file to be created is shown below.
Please make sure that the POST data is exactly 628 bytes and there must NOT be any newline characters in the POST data. i.e. The POST data in the example below is line wrapped for display purposes. The test file that you create must not have any newlines in the POST data.
Also note that the CruiseWorks login ID and password are sent as Cookie parameters. You must modify the "__login_id" and "__login_pwd" parameters to suit your installation.
This text file can be downloaded here.
POST /scripts/cruise/cws.exe HTTP/1.1
Cookie: __login_id=0; __login_pwd=password
For example, if you have saved the POST request as "cruisetest.txt", then you can use netcat (nc.exe) to send the request.
nc 192.168.1.111 80 < cruisetest.txt
If you have performed steps 1 to 5 correctly, then one of the breakpoints that was set earlier will cause Ollydbg to pause inetinfo.exe as shown below.
View the call stack in Ollydbg to identify the address of the function that calls the CreateProcessAsUser() API. Go to the address and set a breakpoint immediately after the call. This is shown below.
When the CreateProcessAsUser() function returns, the "cws.exe" process would have been created.
Ollydbg will pause "cws.exe" when the EIP has been overwritten, as shown below.
Please note that if you have incorrectly set the login ID or the password in the Cookie parameter of the POST request, then "cws.exe" will terminate without triggering the overflow.
Buffer Overflow Analysis
The following series of screen capture show the trace of the vulnerable function.
The analysis assumes that you have sent a POST request to http://192.168.1.111/scripts/cruise/cws.exe with an overly long string in the "doc" parameter:
Note: The vulnerability is also exploitable via a GET request. However, it is easier to analyse the vulnerability by sending the overly long string as a POST request.
NOTE: The saved EIP is at 0x0012FDC0 on the stack
NOTE: This is equivalent to:
sprintf(overflowed_512-bytes_Buffer, "%s\\docs\\%s", getScriptDirectory(), valueOfDocParam_624-bytes);
This will overflow the 512-bytes buffer