Re: ASP code testing

From: Bojo (bojo_alexat_private)
Date: Sun Nov 18 2001 - 14:38:08 PST

Next message: Kevin Spett: "Re: ASP code testing"

Previous message: Dan Richardson: "ASP code testing"
In reply to: Dan Richardson: "ASP code testing"
Next in thread: Kevin Spett: "Re: ASP code testing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am ASP programmer. I don't think that some buffer overflow can occur in
your case because scripting engine checks bounds of data types.
In your case somewhere is line of code like:
v = Request.QueryString("id")
i = CInt(v)
First - in this case your ids are limited to 32767 - check your data that if
this is possible.
Solution is to replace this with: i = CLng(v)  (hope all is clear here)
But I have seen this and you must check for code like this:
v = Request.QueryString("id")
Query = "Select * from table where table_id = " & v
ExecQuery(Query)
....
That is - there is no cast to integer and as parameter can be passed
anything and it is concatenated directly to Query.
You can execute something like
http://www.asite.com/show/showsomething.asp?ID=32767;Update+Salary+Set+value
+=+value*2+Where+name='Dan'
the semicolumn (;) is terminator for batch querys in sql server and ADO 2.5
and later will execute this correctly ;)


----- Original Message -----
From: "Dan Richardson" <dan.richardsonat_private>
To: <pen-testat_private>
Sent: Sunday, November 18, 2001 1:00 AM
Subject: ASP code testing

Regards
Bojidiar Alexandrov

> I'm currently testing some ASP code on an e-commerce site. My question
> is could this be used to execute a buffer overflow exploit?
>
> The following URL:
>
> http://www.asite.com/show/showsomething.asp?ID=5
>
> Will retrieve a legitmate item from the database. By playing with the
> number a bit-
>
> http://www.asite.com/show/showsomething.asp?ID=32767
>
> Will generate
>
> ADODB.Field error '80020009'
>
> Either BOF or EOF is True, or the current record has been deleted.
> Requested operation requires a current record.
>
> But if I bump that number up to 32768 (unsigned integer limit)-
>
> Microsoft VBScript runtime error '800a0006'
>
> Overflow: 'cint'
>
> /show/showsomething.asp, line x
>
>
> Thanks
>
> Dan
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Kevin Spett: "Re: ASP code testing"
Previous message: Dan Richardson: "ASP code testing"
In reply to: Dan Richardson: "ASP code testing"
Next in thread: Kevin Spett: "Re: ASP code testing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 14:04:12 PST