I assume this complaint is regarding eEye's initial advisory, rather than their later-published analysis of Code Red. Given the contents of Microsoft's advisory and a decent debugger, identifying and developing an exploit for the overflow is not overly difficult. Potentially time-consuming, but not terrible complicated. Moreover, unless I am misreading the analyses, the original eEye exploit uses a jump to a header containing a slide to execute code, while RedAlert jumps to the request body via msvcrt. Hardly closely related approaches. I would strongly question the assumption that RedAlert and variants were all based on the code released by eEye. I would like to thank the folks at eEye for providing full advisories of security issues. As the one responsible for regression testing around here, knowing the actual flaws makes it much easier (i.e. possible). Chris At 02:39 PM 8/10/01, Richard M. Smith wrote: >[snip] >Unlike the eEye advisory, the Microsoft advisory on the IIS >security hole shows the right balance. It gives IIS customers >enough information about the buffer overflow without giving a recipe >to virus writers of how to exploit it. > >Thanks, >Richard M. Smith >CTO, Privacy Foundation >http://www.privacyfoundation.org
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 18:08:46 PDT