exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

eeye.htr2.txt

eeye.htr2.txt
Posted Jun 13, 2002
Authored by eEye Digital Security | Site eEye.com

Eeye Advisory - IIS 4.0 and 5.0 for Windows NT and 2000 contain a remotely exploitable heap overflow which allows remote code execution. The bug is in transfer chunking in combination with the processing of HTR request sessions.

tags | remote, overflow, code execution
systems | windows
SHA-256 | 48ccb83f54a8646059f912592e5f6d519b887ca5833838d10ec76f21014b6fa0

eeye.htr2.txt

Change Mirror Download
Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow

Release Date:
June 12, 2002

Severity:
High (Remote code execution)

Systems Affected:
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0

A vulnerability in transfer chunking, in combination with the processing of
HTR request sessions can be exploited to remotely execute code of an
attackers choice on the vulnerable machine. By sending a carefully crafted
session, an attacker can overwrite a section of the heap. Data structures in
the overwritten heap can be manipulated to move attacker-supplied data to
attacker supplied memory addresses, thereby altering the flow of execution
into an attacker supplied payload.

This is a very serious vulnerability and eEye suggests that administrators
install the Microsoft supplied patch as soon as possible.

The following example will show the vulnerable condition. The dllhost.exe
child process will silently die because the developers have replaced the
default exception filter. So if you want to examine this closer, load a
debugger up on the dllhost child process before you send this example
session over the wire.

**************Begin Session****************
POST /EEYE.htr HTTP/1.1
Host: 0day.big5.com
Transfer-Encoding: chunked

20
XXXXXXXXXXXXXXXXXXXXXXXXEEYE2002
0
[enter]
[enter]
**************End Session******************

Technical Description:

The example session above overwrites a section of the heap that contains
data structures related to the memory management system. By manipulating the
content of these structures we can overwrite an arbitrary 4 bytes of memory
with an attacker supplied address.

While many may believe that the risk for these types of vulnerabilities is
fairly low due to the fact that addressing is dynamic and brute force
techniques would need to be use in an attack, eEye strongly disagrees. This
premise is false as successful exploitation can be made with one attempt,
across dll versions. An attacker can overwrite static global variables,
stored function pointers, process management structures, memory management
structures, or any number of data types that will allow him to gain control
of the target application in one session.

SecureIIS(tm) Application Firewall for Microsoft IIS

It should be noted that clients using any version of SecureIIS from eEye
Digital Security are secure from this vulnerability. This vulnerability was
discovered by the eEye team while testing a new version of SecureIIS to help
further its protection abilities from similar classes of attack. To learn
more visit https://www.eeye.com/SecureIIS

Vendor Status:
Microsoft has released a security bulletin and patch:
https://www.microsoft.com/technet/security/

Beyond installing the Microsoft security patch it is also recommend to
disable the .htr ISAPI filter if you have not already done so. Microsoft’s
security advisory references more information on the steps of how to disable
the .htr ISAPI filter.

Credit: Riley Hassell

Greetings: Caesar, K2, Dark Spyrit, Solar Designer, Joey, Halvar, Gera,
Scut, Ilfak Guilfanov. And last but not least, Kasia and Jenn ;) and as
always, www.securityfocus.com.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
https://www.eEye.com
info@eEye.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close