Re: Re[4]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]

["Riley Hassell" <rhassell () eeye com>]

Change http://www.security.nnov.ru/index.asp to /iisstart.asp in the POST
along with switching HTTP/1.0 -> HTTP/1.1 and the tests should work.

The HTTP version may not matter, but for the sake of making our tests
environments more similar..

-R


----- Original Message -----
From: "3APA3A" <3APA3A () SECURITY NNOV RU>
To: "Riley Hassell" <rhassell () eeye com>
Cc: <vuln-dev () securityfocus com>
Sent: Saturday, April 13, 2002 7:17 AM
Subject: Re[4]: IIS .ASP Remote Buffer Overflow [testing for vulnerable
installations]


> Dear Riley Hassell,
>
> I do use telnet sometimes ;)
>
> I mean in case of _patched_ IIS it doesn't
>
> > > RH> will respond with a new error, I believe it's
> RH> (0x80004005)<br>Request...
>
> but simply shows you a page like it does on GET request... You can try
>
> > telnet www.security.nnov.ru 80
> Trying 195.122.226.28...
> Connected to ntst.sci-nnov.ru.
> Escape character is '^]'.
> POST http://www.security.nnov.ru/index.asp HTTP/1.0
> Accept: */*
> Host: www.security.nnov.ru
> Content-Type: application/x-www-form-urlencoded
> Transfer-Encoding: chunked
>
> 1
> E
> 0
>
> After hitting enter twice you'll HTML content.
>
>
>
> --Saturday, April 13, 2002, 5:45:04 PM, you wrote to
3APA3A () SECURITY NNOV RU:
> RH> lets see whats up...
>
> RH> Do it first manually. Copy and paste the request into a telnet session
with
> RH> the web server. I used the telnet.exe that came along with the machine
I'm
> RH> testing. It's running Windows 2000 Server, build 5.00.2195 with SP2
all the
> RH> latest hotfixes prior to Q319733.
>
> RH> Here it is:
> RH> ----start
> RH> POST /iisstart.asp HTTP/1.1
> RH> Accept: */*
> RH> Host: hostname-changed.com
> RH> Content-Type: application/x-www-form-urlencoded
> RH> Transfer-Encoding: chunked
>
> RH> 1
> RH> E
> RH> 0
> RH> ----end
>
> RH> If you have troubles,try hitting [enter] a few more times in your
telnet
> RH> session after you have pasted the session in. Be patient, IIS may need
 to
> RH> load the ISAPI filter, this could take several seconds or longer
depending
> RH> on the speed of the system.
>
> RH> Also make sure you haven't changed your iisstart.asp file, just so we
have
> RH> the same test environment.
>
> RH> For the app you're writing what particular language are you using?
> RH> If you're writing an app to check for these, try adding a healthy
timeout
> RH> limit for data reads. IIS may need to load the filter so it could take
a
> RH> while.
>
> RH> If IIS is still not throwing the error, then (if you'd like), send me
a
> RH> packet capture of your telnet session and a copy of the iisstart.asp
file on
> RH> the machine you're testing. Then I should be able to tell you why it's
not
> RH> working from that.
>
> RH> There's also the possibility that this vulnerability may have been
> RH> introduced with a  later version of the IIS related dll releases.
Maybe a
> RH> underlying code change, or patch caused this issue. Only speculation
of
> RH> course ;)
>
> RH> -R
>
> RH> Riley Hassell
> RH> Security Research Associate
> RH> eEye Digital Security
>
> RH> Get up...
> RH> and light the world on fire.
>
> > > In my case it produces no error and simply responses with page content
> RH> after
> > >    "\r\n"
> > >    "1\r\n"
> > >    "E\r\n"
> > >    "0\r\n"
> > >    "\r\n"
> > >
> > >
> > > RH> It won't overwrite anything mission critical so the dllhost
shouldn't
> RH> lock
> > > RH> up or exit. If you're vulnerable then you'll the following string
in
> RH> the
> > > RH> error message "(0x80004005)<br>Unspecified". When a server is
patched
> RH> it
> > > RH> will respond with a new error, I believe it's
> RH> (0x80004005)<br>Request...
> > > RH> You can also try putting NULL's in strange places in you request.
The
> RH> rollup
> > > RH> fixes a problem in parsing requests with NULLs. When IIS see's
> RH> something
> > > RH> invalid in a request it will error back with "parameter incorrect",
on
> RH> an
> > > RH> unpatched system the responses will vary.
> > >
> > >
> > >
> > > --
> > > ~/ZARAZA
> > > ...áåç äóáèíêè íèêîãäà íå ïðèíèìàëñÿ îí çà ïðîãðàììèðîâàíèå. (Ëåì)
>
>
>
> --
> ~/ZARAZA
> Ïîÿâèëñÿ íîâûé òèï ýëåìåíòàðíûõ ÷àñòèö - øêâàðêè.
> Íå î÷åíü áîëüøèå, ñëåãêà ïîäãîðåâøèå.  (Ëåì)