Hi, The intriguing part is the relatively small size of the overflow condition (240 chars without the code insertion). We checked it against our CHX-I engine and - just as with the previous MS overflow - we caught the attempt before it reached the web server(including evasive variations of the overflow) with several fundamental overlapping rules (size of request method, attempt to access null. objects, etc...). Does anyone know the smallest overflow condition in a comercial server (web) ? Regards, R. Stefan stefat_private 514.331.5858 http://www.idrci.net/default.htm?home=en ----- Original Message ----- From: "Marc Maiffret" <marcat_private> To: "Vuln-Dev" <vuln-devat_private> Sent: Monday, June 18, 2001 7:54 PM Subject: All versions of Microsoft Internet Information Services, Remote buffer overflow (SYSTEM Level Access) > I didnt want to spam you all with the full advisory but I thought you guys > might like Ryan Permehs note on wide character overflow exploitation. It is > in "The Exploit" section of our advisory. > > He talks about it in our latest IIS .ida ISAPI overflow advisory: > http://www.eeye.com/html/Research/Advisories/AD20010618.html > > Signed, > Marc Maiffret > Chief Hacking Officer > eEye Digital Security > T.949.349.9062 > F.949.349.9538 > http://eEye.com/Retina - Network Security Scanner > http://eEye.com/Iris - Network Traffic Analyzer > http://eEye.com/SecureIIS - Web Application Firewall >
This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 06:37:00 PDT