Re: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]

• Previous message: dullienat_private: "Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• In reply to: dullienat_private: "Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• Next in thread: 3APA3A: "Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]"
• Next in thread: InterceptiX Security: "Re: Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• Next in thread: incubus: "RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• Reply: 3APA3A: "Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you want to test that an IIS4 or 5 server is vulnerable remotely you use
one of the following methods.
The request needs to be correct according to RFC.

Send this request:

  "POST /iisstart.asp HTTP/1.1\r\n"
  "Accept: */*\r\n"
  "Host: eeye.com\r\n"
  "Content-Type: application/x-www-form-urlencoded\r\n"
  "Transfer-Encoding: chunked\r\n"
  "\r\n"
  "1\r\n"
  "E\r\n"
  "0\r\n"
  "\r\n"
  "\r\n"
  "\r\n"

It won't overwrite anything mission critical so the dllhost shouldn't lock
up or exit. If you're vulnerable then you'll the following string in the
error message "(0x80004005)<br>Unspecified". When a server is patched it
will respond with a new error, I believe it's (0x80004005)<br>Request...

You can also try putting NULL's in strange places in you request. The rollup
fixes a problem in parsing requests with NULLs. When IIS see's something
invalid in a request it will error back with "parameter incorrect", on an
unpatched system the responses will vary.

IDS Sig:

As far as an IDS signature, you guys can check for the existence of
"Content-Type: application/x-www-form-urlencoded\r\n" and
"Transfer-Encoding: chunked\r\n". These two tags can be switched around a
little so there has to be a certain level of logic available to the IDS.
Beyond that the chunking section can changed around so it can't be used. The
default file isn't really a possibility, an attacker can scan a server
remotely for pages that have the necessary ASP tags ;)


Riley Hassell
Security Research Associate
eEye Digital Security

Get up...
and light the world on fire.

----- Original Message -----
From: <dullienat_private>
To: "MadHat" <madhatat_private>
Cc: "Erik Parker" <eparkerat_private>; "'Marc Maiffret'" <marcat_private>;
"Vuln-Dev" <vuln-devat_private>
Sent: Friday, April 12, 2002 10:25 AM
Subject: Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow


> Hey all,
>
> M> I have not been able to reproduce these results.  I have managed to
lock
> M> up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup
messages
> M> appear and no entries in the Application Log.  I have also been able
get
> M> the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
> M> still no popup or messages.
>
> rule of thumb : It locks up <==> Heap is corrupted <==> vulnerable
>
> Cheers,
> dullienat_private
>
> --
> Mit freundlichen Grüssen
> dullienat_private                            mailto:dullienat_private
>
>

• Next message: InterceptiX Security: "Re: Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• Previous message: dullienat_private: "Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• In reply to: dullienat_private: "Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• Next in thread: 3APA3A: "Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]"
• Next in thread: InterceptiX Security: "Re: Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• Next in thread: incubus: "RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
• Reply: 3APA3A: "Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 17:06:39 PDT