#######################################################################

                             Luigi Auriemma

Application:  Microsoft Host Integration Server
              http://www.microsoft.com/biztalk/en/us/host-integration.aspx?pf=true
Versions:     <= 8.5.4224.0
Platforms:    Windows
Bugs:         various Denial of Service vulnerabilities
Exploitation: remote, versus server
Date:         11 Apr 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Microsoft Host Integration Server technologies and tools enable
enterprise organizations to integrate existing IBM host systems,
programs, messages and data with new Microsoft server applications."


#######################################################################

=======
2) Bugs
=======


The following are only Denial of Service vulnerabilities and there are
for sure some others but sincerely who cares?
Just for quick reference...


A]
--
  Endless loop affecting all the services that use the TCP protocol so
  snabase.exe on port 1478, all the snalink.exe on their dynamic ports,
  snaservr.exe, mngagent.exe and so on.
  The cause is "word[packet] - 2" that forces the continuous parsing of
  the same data.


Instead the following bugs affect only the UDP protocol used in
snabase.exe listening on the port 1478.
When this service terminates also the others depending by it like
snalink and msngagent will terminate.

B]
--
  0101FAC7  |>  0FB785 E0FEFF>|MOVZX EAX,WORD PTR SS:[EBP-120]
  0101FACE  |.  6BC0 37       |IMUL EAX,EAX,37
  0101FAD1  |.  8B8D DCFEFFFF |MOV ECX,DWORD PTR SS:[EBP-124]
  0101FAD7  |.  8D1C08        |LEA EBX,DWORD PTR DS:[EAX+ECX]
  0101FADA  |.  8D73 0E       |LEA ESI,DWORD PTR DS:[EBX+E]
  0101FADD  |.  89B5 D8FEFFFF |MOV DWORD PTR SS:[EBP-128],ESI
  0101FAE3  |.  6A 0F         |PUSH 0F
  0101FAE5  |.  59            |POP ECX
  0101FAE6  |.  8B3D FC690301 |MOV EDI,DWORD PTR DS:[10369FC]
  0101FAEC  |.  83C7 14       |ADD EDI,14
  0101FAEF  |.  33C0          |XOR EAX,EAX
  0101FAF1  |.  F3:A6         |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS> ; unallocated memory

  the crash is caused by the tentative of accessing the unallocated
  memory located after the packet of max 0x1ee bytes.


C]
--
  an UDP packet longer than 0x1ee bytes blocks the receiving of any
  other UDP packet.


D]
--
  endless loop and crash:
  0101AF0D  /$  8BFF          MOV EDI,EDI
  0101AF0F  |.  55            PUSH EBP
  0101AF10  |.  8BEC          MOV EBP,ESP
  0101AF12  |.  33D2          XOR EDX,EDX
  0101AF14  |.  3955 0C       CMP DWORD PTR SS:[EBP+C],EDX
  0101AF17  |.  74 1E         JE SHORT 0101AF37
  0101AF19  |.  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
  0101AF1C  |.  56            PUSH ESI
  0101AF1D  |>  0FB748 02     /MOVZX ECX,WORD PTR DS:[EAX+2]    ; unallocated memory
  0101AF21  |.  8B70 04       |MOV ESI,DWORD PTR DS:[EAX+4]
  0101AF24  |.  03D1          |ADD EDX,ECX
  0101AF26  |.  0FB7C9        |MOVZX ECX,CX
  0101AF29  |.  F7D6          |NOT ESI
  0101AF2B  |.  2175 0C       |AND DWORD PTR SS:[EBP+C],ESI
  0101AF2E  |.  03C1          |ADD EAX,ECX
  0101AF30  |.  837D 0C 00    |CMP DWORD PTR SS:[EBP+C],0
  0101AF34  |.^ 75 E7         \JNZ SHORT 0101AF1D               ; controlled cycle
  0101AF36  |.  5E            POP ESI
  0101AF37  |>  0FB7C2        MOVZX EAX,DX
  0101AF3A  |.  5D            POP EBP
  0101AF3B  \.  C2 0800       RETN 8


E]
--
  67489374  |.  83C4 0C       ADD ESP,0C
  67489377  |.  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
  6748937A  |.  83C0 2C       ADD EAX,2C
  6748937D  |.  50            PUSH EAX
  6748937E  |.  68 05010000   PUSH 105
  67489383  |.  8B45 E8       MOV EAX,DWORD PTR SS:[EBP-18]
  67489386  |.  05 29010000   ADD EAX,129
  6748938B  |.  50            PUSH EAX
  6748938C  |.  FF15 88124467 CALL DWORD PTR DS:[<&MSVCR80.strcat_s>]  ;  MSVCR80.strcat_s

  exception if the string is too big.


F]
--
  forced termination:
  "Error: Primary Host Integration Server computer already running in ???"


G]
--
  6748A73F   .  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
  6748A742   .  83C0 03       ADD EAX,3
  6748A745   .  50            PUSH EAX
  6748A746   .  6A 10         PUSH 10
  6748A748   .  68 F0F04F67   PUSH 674FF0F0
  6748A74D   .  FF15 38134467 CALL DWORD PTR DS:[<&MSVCR80.strcpy_s>]

  if the string is longer than 0x10 bytes then the server will raise an
  exception and terminates.


H]
--
  606CC91A    68 1C010000     PUSH 11C
  606CC91F    6A 40           PUSH 40                                   ; allocate 0x40 bytes
  606CC921    FF15 30106C60   CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc> ; kernel32.LocalAlloc
  606CC927    8945 E4         MOV DWORD PTR SS:[EBP-1C],EAX
  606CC92A    837D E4 00      CMP DWORD PTR SS:[EBP-1C],0
  606CC92E    0F84 D8000000   JE 606CCA0C
  606CC934    FF75 08         PUSH DWORD PTR SS:[EBP+8]                 ; our string
  606CC937    6A 10           PUSH 10                                   ; max size
  606CC939    8B45 E4         MOV EAX,DWORD PTR SS:[EBP-1C]
  606CC93C    83C0 0C         ADD EAX,0C
  606CC93F    50              PUSH EAX                                  ; destination
  606CC940    FF15 5C116C60   CALL DWORD PTR DS:[<&MSVCR80.strcpy_s>]   ; MSVCR80.strcpy_s

  if the string is longer than 0x10 bytes then the server will raise an
  exception and terminates.


I]
--
  The opcode 0x02 allows to use an arbitrary MessageId argument in
  FormatMessage causing the crash through the values 0x11 and 0x26:
  _snwprintf(buffer, buffer_size, "%hs", (char *)9);


J]
--
  memcmp crash caused by the accessing of unallocated memory after the
  packet.


K (maybe)]
----------
  snabase allows to start an existent service and even passing
  parameters to it through a packet with opcode 0x04.
  normally this is not an issue because the server runs with an
  unprivileged user (if you assign Administrator as "Service
  credential" the configurator of the installer will ask for
  confirmation) and as far as I know the HIS services don't use
  arguments.
  anyway in some particular conditions or if have been used the
  Administrator credentials this feature may be "interesting".


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/snabase_1.zip

A]
  nc SERVER PORT    < snabase_1a.dat

others]
  nc SERVER 1478 -u < snabase_1?.dat

  Note that the pre-built packet files use the fixed destination name
  VBOX so change the string in the packets accordingly with the real
  target machine or domain name.
  Note that snabase_1k.dat must be customized to work: service name,
  optional arguments and remember to change at least one char of the
  string at offset 3 each time or the packet will be ignored if it
  contains the same string of the previous one.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################