You will find our response and fix information below. To download the latest version of SecureIIS (v.1.0.4) then visit the SecureIIS website at, http://www.eeye.com/secureiis/ <snip> |Vendor: eEye (http://www.eEye.com) |Product: SecureIIS |(http://www.eeye.com/html/Products/SecureIIS/index.html) <snip> |Product description (from |http://www.eeye.com/html/Products/SecureIIS/index.html): |SecureIIS protects Microsoft IIS (Internet Information Services) Web |servers from known and unknown attacks. SecureIIS wraps around IIS and |works within it, verifying and analyzing incoming and outgoing Web |server data for any possible security breaches. It combines the best |features of Intrusion Detection Systems and Conventional Network |Firewalls all into one, and it is custom tailored to your Web server. | |Release Date: May 17th, 2001. | |Authors: C-3P0 and R2-D2. <snip> |1. Keyword checking - SecureIIS promises "By checking for common <snip> | GET /whatever.script?user=%41DMIN HTTP/1.0 |And: | POST /whatever.script HTTP/1.0 | Content-Type: application/x-www-form-urlencoded | Content-Length: 10 | | user=ADMIN We have updated SecureIIS to properly handle various web encoding methods including unicode and hex (%) style encoding. We have also updated SecureIIS to perform keyword checking on POST data. |2. Directory traversal - SecureIIS promises "In certain situations, <snip> | GET /whatever.script?file=/%2e%2e/%2e%2e/boot.ini HTTP/1.0 |And: | POST /whatever.script HTTP/1.0 | Content-Type: application/x-www-form-urlencoded | Content-Length: 20 | | page=/../../boot.ini The directory traversal checking bug described above was fixed when the keyword and post bugs were fixed. See section 1. |3. Buffer Overflows - For HTTP headers, SecureIIS promises (from <snip> | GET / HTTP/1.0 | Host: [500 x random a-z charachers] We have enabled individual header length checking in SecureIIS 1.0.4. |4. Buffer Overflows in SecureIIS - if the request is large (several SecureIIS did not suffer from a buffer overflow attack. There were a few bugs though that might have lead you to believe so. These bugs were actually fixed in SecureIIS version 1.0.3 which was posted to our website on Thurs. May 17th. The problem you were seeing was due to some issues with how IIS itself allocates heap memory. |Workaround: No workaround is known. We first found out about this vulnerability from reading an advisory that was posted (Fri 5/18/2001 10:49AM) by ASLabs (namely C-3P0 and R2-D2) to various security mailing lists. While we wish they would have contacted us in advance, we do appreciate bug reports and vulnerability research because it helps us to create better products. As stated earlier we have since posted (Sat 5/19/2001 12:27am) a new version of SecureIIS (version 1.0.4) that fixes the bugs talked about in C-3PO and R2-D2's advisory. These bugs were valid and therefore were dealt with at a top priority. The bugs that were posted were most likely to affect third party apps rather than IIS specific vulnerabilities. Basically this means that registered users of SecureIIS have been protected from various IIS specific vulnerabilities (unicode,nsfocus-decodebug,.printer,etc...) from the very first beta of SecureIIS. The following is a list of some of the new features/changes in SecureIIS: Maximum POST Query Length Allowed Processing of individual header length fields High Bit Shellcode Protection in POST Data Full decoding of all query strings (unicode and hex data) Keyword filtering for POST data Protect against Directory Traversal Exploits in Query String and POST Data Once again, being that eEye itself does vulnerability research, we definitely encourage vulnerability research from other organizations as it helps to make products more secure. If anyone should find any other related bugs within our software (SecureIIS, Retina, Iris) then please do not hesitate to eMail bugsat_private or myself so that we can work with you to fix the bugs ASAP. Thanks! Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Web Application Firewall
This archive was generated by hypermail 2b30 : Sat May 19 2001 - 13:10:18 PDT