Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Re mote SYSTEM Level Access)

From: Dehner, Ben (Btdat_private)
Date: Wed May 02 2001 - 13:55:18 PDT

Next message: Ofir Arkin: "Several Misbehaviors with the ICMP implementation (and the 'ping' utility) with MS based operating systems"

Previous message: zenith parsec: "minicom exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I guess I have a philosophical question about the use of a web proxy in this
case.  As the first poster points out, a firewall doesn't protect against
this IIS vulnerability, since everything is using standard HTTP protocol.
However, by adding in a web proxy, you are simply moving your vulnerability
from the web server to the proxy server.  Before a proxy server can apply
any allow/deny rules, it first must also parse the incoming HTTP request,
and is therefore potentially vulnerable to the same type of buffer overflow
as the web server.  If the web proxy server is from same vendor as the web
server, it is not unlikely that it is built on common core code and has the
*same* vulnerability.

Ben Dehner

-----Original Message-----
From: Lincoln Yeoh [mailto:lyeohat_private]
Sent: Tuesday, May 01, 2001 8:58 PM
To: BUGTRAQat_private
Subject: Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability
(Remote SYSTEM Level Access)

At 01:15 PM 01-05-2001 -0700, Marc Maiffret wrote:
>The Fallout:
>As with our first remote SYSTEM level exploit for IIS 4.0 2 years ago, the
>fallout from this second IIS remote overflow is also rather large. Once
>again it does not matter what kind of security systems you have in place,
>Firewalls, IDS's, etc.. because all of those systems can be bypassed and
>your web server CAN be broken into via this vulnerability. To quote our
last

[Lincoln Yeoh]
Actually these attacks (and others) may not work if you have a web proxy
that allows clients to only access urls that appear in the protected
website's content plus defined entry point urls. The good old "default
deny" concept.

You only can ask for what the protected server says there is, or is ok.

I'm glossing over the details of course, but basically the proxy looks at
the protected webserver's content it is serving up, and only that which is
explicitly specified by the content is allowed. For example fields in forms
are limited to that specified by their SIZE parameter, and unspecified
parameters never get passed to the target url.

...

Next message: Ofir Arkin: "Several Misbehaviors with the ICMP implementation (and the 'ping' utility) with MS based operating systems"
Previous message: zenith parsec: "minicom exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 03 2001 - 14:29:03 PDT