Internet Security Systems Security Advisory: Buffer Overflow in i-drive Filo (tm) software

[aleph1 () UNDERGROUND ORG (Aleph One)]

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
June 7, 2000

Buffer Overflow in i-drive Filo (tm) software

Synopsis:
Internet Security Systems (ISS) X-Force has discovered a vulnerability in
the i-drive Filo software. i-drive.com provides web storage services for
over 1.5 million users. The browser-based tool, Filo, allows users to clip
and save any web page to their i-drive account. Filo is designed for saving
important pages found on the web such as investment research, travel
confirmations, and e-commerce receipts.

Affected Versions:
Filo file version 1.0.0.1 for Windows NT (SP5) is affected.

Description:
When the Filo software is installed, the setup program also installs an HTTP
proxy server. An attacker can send the proxy server an overly long HTTP GET
request, overflowing a heap buffer in the Filo server software. This
vulnerability allows an attacker to remotely execute arbitrary code.

Recommendations:
i-drive recommends upgrading to Filo 1.5.3. This version is available for
download at: http://www.idrive.com/site/download/WinFiloInstaller.exe

Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2000-0376 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.

Credits:
This vulnerability was discovered and researched by Justine Bone of the ISS
X-Force. Internet Security Systems would like to thank i-drive for their
response and handling of this vulnerability.

_____

About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and strategic
consulting and education offerings, ISS is a trusted security provider to
its customers, protecting digital assets and ensuring safe and uninterrupted
e-business. ISS' security management solutions protect more than 5,500
customers worldwide including 21 of the 25 largest U.S. commercial banks, 10
of the largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call
888-901-7477.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce () iss net
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as
on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce () iss net of
Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOT7CKzRfJiV99eG9AQGNZQP+IDQ/RdBcPHBRnN+C5Sh0Mt0+5bSz7IhA
leFVfBUBKRua8ap+lEGHA8TRj937vXC1IsGaSbgdY3Eba9DKo+Bo5wRvx5J6c/xC
NcpG70rMnv/r1/MdkXFRgCl6tazPqnS2h26Zc8WLq/KfdrpmYll1sr7Rvnw5x9+Y
ajGWMUsUXLE=
=pWyt
-----END PGP SIGNATURE-----