Vulnerability Development mailing list archives

Re: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]

From: "Riley Hassell" <rhassell () eeye com>
Date: Fri, 12 Apr 2002 15:15:47 -0700


If you want to test that an IIS4 or 5 server is vulnerable remotely you use
one of the following methods.
The request needs to be correct according to RFC.

Send this request:

  "POST /iisstart.asp HTTP/1.1\r\n"
  "Accept: */*\r\n"
  "Host: eeye.com\r\n"
  "Content-Type: application/x-www-form-urlencoded\r\n"
  "Transfer-Encoding: chunked\r\n"
  "\r\n"
  "1\r\n"
  "E\r\n"
  "0\r\n"
  "\r\n"
  "\r\n"
  "\r\n"

It won't overwrite anything mission critical so the dllhost shouldn't lock
up or exit. If you're vulnerable then you'll the following string in the
error message "(0x80004005)<br>Unspecified". When a server is patched it
will respond with a new error, I believe it's (0x80004005)<br>Request...

You can also try putting NULL's in strange places in you request. The rollup
fixes a problem in parsing requests with NULLs. When IIS see's something
invalid in a request it will error back with "parameter incorrect", on an
unpatched system the responses will vary.

IDS Sig:

As far as an IDS signature, you guys can check for the existence of
"Content-Type: application/x-www-form-urlencoded\r\n" and
"Transfer-Encoding: chunked\r\n". These two tags can be switched around a
little so there has to be a certain level of logic available to the IDS.
Beyond that the chunking section can changed around so it can't be used. The
default file isn't really a possibility, an attacker can scan a server
remotely for pages that have the necessary ASP tags ;)


Riley Hassell
Security Research Associate
eEye Digital Security

Get up...
and light the world on fire.

----- Original Message -----
From: <dullien () gmx de>
To: "MadHat" <madhat () unspecific com>
Cc: "Erik Parker" <eparker () mindsec com>; "'Marc Maiffret'" <marc () eeye com>;
"Vuln-Dev" <vuln-dev () securityfocus com>
Sent: Friday, April 12, 2002 10:25 AM
Subject: Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

Hey all,

M> I have not been able to reproduce these results.  I have managed to

lock

M> up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup

messages

M> appear and no entries in the Application Log.  I have also been able

get

M> the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
M> still no popup or messages.

rule of thumb : It locks up <==> Heap is corrupted <==> vulnerable

Cheers,
dullien () gmx de

--
Mit freundlichen Grüssen
dullien () gmx de                            mailto:dullien () gmx de

Current thread:

A Dozen Eggs for Easter! Rhinestone Cowboy (Mar 31)