RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

From: damdum (damdum@ghettohackers.net)
Date: 04/12/02


Date: Fri, 12 Apr 2002 13:04:21 -0700
From: damdum <damdum@ghettohackers.net>
To: MadHat <madhat@unspecific.com>

Quoting MadHat <madhat@unspecific.com>:

> Thanks, but I must have missed where the 100 continue return code was
> the defining factor of vulnerability.

When doing chunked posts, its my understanding you will always get a 100
continue. So, if this is fixed or fed in wronge, you would still get 100
continue, but no crash.

Initially I used netcat and cut/pasted the request in. The behavior was when it
didn't cause the exception as when it did. (See below comments on how to
remotely tell if it crashed).

>
> I can get this to return, but I have no way to verify vulnerability that
> I can see. The original description released by Marc said that a popup
> appeared and that a message was entered in the Application Event log.
> Since I can not reproduce either of these symptoms, how do I verify
> vulnerability. If I send the same data as below to a patched host, it
> still comes back with the 100 continue return code.

If you do not get the pop-up and log entries, you have not caused the overflow.
 Once you have caused this error another request for issstart.asp will give a
500 error.

So, to test, run the perl script, then do GET /isstart.asp HTTP/1.0\r\n\r\n.
Response should be "HTTP/1.1 500 Server Error".

Note: This is using default IIS as with W2K Adv Serv, so iisstart.asp is using
"medium" security, not sure if this changes with high.

>
> Oh and on the locked up I mentioned before, I meant that HTTP session
> locked, not IIS itself. Not something I can count on, since it didn't
> seem to happen every time and did not seem to produce any of the signs
> noted in the advisory.

Using this request you will never "return" from the 100 continue. So you will
need to reconnect for another request.

I have only tested this on a fresh install of Windows 2000 Advanced Server w/o
any patches. It is easier to test using a w2k box & telnet, as you will send
the proper \r\n and can just cut/past and hit return.

damdum



Relevant Pages

  • [Full-disclosure] CVE-2013-0634 Original sample can not be confirmed until now
    ... entity that claimed to be first to find the threat in the wild. ... That's why in vulnerability assessment and research, is not a mere request, ... Adobe claimed to find CVE-2013-0634 in the wild in websites (is plural, ...
    (Full-Disclosure)
  • [NT] Vulnerability Report for Windows SMB DoS
    ... cross-platform mechanism for client systems to request file services from ... In order to exploit the vulnerability a user account is needed for the ... is therefore vulnerable to a denial of service attack. ... Later in the processing of the request, at SRV.SYS+33209h another buffer ...
    (Securiteam)
  • CORE-20020618: Vulnerabilities in Windows SMB (DoS)
    ... Denial of Service Vulnerabilities in Windows SMB implementation ... mechanism for client systems to request file services from server ... It might be possible to abuse this vulnerability to execute arbitrary ... Later in the processing of the request, at SRV.SYS+33209h another buffer ...
    (NT-Bugtraq)
  • CORE-20020618: Vulnerabilities in Windows SMB (DoS)
    ... Denial of Service Vulnerabilities in Windows SMB implementation ... mechanism for client systems to request file services from server ... It might be possible to abuse this vulnerability to execute arbitrary ... Later in the processing of the request, at SRV.SYS+33209h another buffer ...
    (Bugtraq)
  • [Full-disclosure] [scip_Advisory 3807] Dreambox DM500 webserver long URL request denial of servi
    ... Marc Ruef at scip AG found an input validation error within the web ... An attacker is able to send a very long http request string (approx. ... It is possible to exploit the vulnerability with a common web browser by ... VENDOR RESPONSE ...
    (Full-Disclosure)