Re[4]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Riley Hassell,

I do use telnet sometimes ;)

I mean in case of _patched_ IIS it doesn't

> > RH> will respond with a new error, I believe it's
RH> (0x80004005)<br>Request...

but simply shows you a page like it does on GET request... You can try

> telnet www.security.nnov.ru 80
Trying 195.122.226.28...
Connected to ntst.sci-nnov.ru.
Escape character is '^]'.
POST http://www.security.nnov.ru/index.asp HTTP/1.0
Accept: */*
Host: www.security.nnov.ru
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

1
E
0

After hitting enter twice you'll HTML content.



--Saturday, April 13, 2002, 5:45:04 PM, you wrote to 3APA3A () SECURITY NNOV RU:


RH> lets see whats up...

RH> Do it first manually. Copy and paste the request into a telnet session with
RH> the web server. I used the telnet.exe that came along with the machine I'm
RH> testing. It's running Windows 2000 Server, build 5.00.2195 with SP2 all the
RH> latest hotfixes prior to Q319733.

RH> Here it is:
RH> ----start
RH> POST /iisstart.asp HTTP/1.1
RH> Accept: */*
RH> Host: hostname-changed.com
RH> Content-Type: application/x-www-form-urlencoded
RH> Transfer-Encoding: chunked

RH> 1
RH> E
RH> 0
RH> ----end

RH> If you have troubles,try hitting [enter] a few more times in your telnet
RH> session after you have pasted the session in. Be patient, IIS may need to
RH> load the ISAPI filter, this could take several seconds or longer depending
RH> on the speed of the system.

RH> Also make sure you haven't changed your iisstart.asp file, just so we have
RH> the same test environment.

RH> For the app you're writing what particular language are you using?
RH> If you're writing an app to check for these, try adding a healthy timeout
RH> limit for data reads. IIS may need to load the filter so it could take a
RH> while.

RH> If IIS is still not throwing the error, then (if you'd like), send me a
RH> packet capture of your telnet session and a copy of the iisstart.asp file on
RH> the machine you're testing. Then I should be able to tell you why it's not
RH> working from that.

RH> There's also the possibility that this vulnerability may have been
RH> introduced with a  later version of the IIS related dll releases. Maybe a
RH> underlying code change, or patch caused this issue. Only speculation of
RH> course ;)

RH> -R

RH> Riley Hassell
RH> Security Research Associate
RH> eEye Digital Security

RH> Get up...
RH> and light the world on fire.

> > In my case it produces no error and simply responses with page content
RH> after
> >    "\r\n"
> >    "1\r\n"
> >    "E\r\n"
> >    "0\r\n"
> >    "\r\n"
> >
> >
> > RH> It won't overwrite anything mission critical so the dllhost shouldn't
RH> lock
> > RH> up or exit. If you're vulnerable then you'll the following string in
RH> the
> > RH> error message "(0x80004005)<br>Unspecified". When a server is patched
RH> it
> > RH> will respond with a new error, I believe it's
RH> (0x80004005)<br>Request...
> > RH> You can also try putting NULL's in strange places in you request. The
RH> rollup
> > RH> fixes a problem in parsing requests with NULLs. When IIS see's
RH> something
> > RH> invalid in a request it will error back with "parameter incorrect", on
RH> an
> > RH> unpatched system the responses will vary.
> >
> >
> >
> > --
> > ~/ZARAZA
> > ...áåç äóáèíêè íèêîãäà íå ïðèíèìàëñÿ îí çà ïðîãðàììèðîâàíèå. (Ëåì)



-- 
~/ZARAZA
Ïîÿâèëñÿ íîâûé òèï ýëåìåíòàðíûõ ÷àñòèö - øêâàðêè.
Íå î÷åíü áîëüøèå, ñëåãêà ïîäãîðåâøèå.  (Ëåì)