Posted on dark spyrit's behalf... Our apologies for holding back on this info, we just had a few things to sort out first. As is the norm for an ISS advisory, retrieving any useful information is completely out of the question - after all, the market value of a product is at stake. Heaven forbid that the xforce would give the security community real information, without asking anything in return. I dread the day. So rather than being duped into downloading the scanner, and still gain no insight on the vulnerability itself, we at beavuh will share what we know. An overflow exists in the "Accept" header field, which can be exploited with any of the common request methods. e.g: GET / HTTP/1.0 Accept: (a page or so of data) The fact that this overflow also affects other request methods rather than just "GET" leads me to believe that this may not be the same hole the xforce mentioned. Hopefully we will receive a reply offering more detailed information, or at least acknowledge that this is/isn't the same hole. Be sure to check out the new issue of Phrack, which includes my article on Win32 overflows. Everything from location using disassembly techniques, to exploiting the weakness, through to adding your own code to the binary executable(s) to prevent the vulnerabilities. The shellcode spawns a full-blown command prompt on any port you specify, without relying on downloading external files - which seems to be the trend with win32 remote exploits. We may release demonstration code for Enterprise if the need arises. dark spyrit / Barnaby Jack <dspyritat_private> beavuh - bend over and pray. http://www.beavuh.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:03:04 PDT