Bugtraq mailing list archives

Re: MFC ISAPI Framework Buffer Overflow

From: Chris Wysopal <cwysopal () atstake com>
Date: 12 Jul 2002 23:52:11 -0000

In-Reply-To: <001901c228f4$c963fe20$e62d1c41 () kc rr com>


BadBlue (and all vendors who wrote ISAPI extensions with MFC) should 
recompile with  Visual Studio 6.0 SP4 or later. There were serious 
problems with many ISAPI extensions built with earlier versions of the MFC 
libraries.  

2 problems are documented in Microsoft KB articles:

ISAPI DLLs That Are Built with MFC Static Libraries Are Vulnerable to 
Denial of Service Attacks (Q310649)
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q310649

and

FIX: Access Violation in MFC ISAPI with Large Query String (Q216562)
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q216562

-Chris

Systems Affected: All ISAs written using MFC ISAPI framework
Issue: User-input length values can result in a buffer overflow.
Risk: Critical
Scope: Remote Server Compromise

The MFC ISAPI framework is widely used to build ISAs that
run on a multitude of web servers.

It has been discovered that the framework relies on user-input
values for request member lengths, making it prone to a buffer
overrun attack.

When I downloaded my copy of the BadBlue PWS and began
to test its bizarre "ext.dll" module for vulnerabilities, I found that
a specially malformed POST request:

Current thread:

MFC ISAPI Framework Buffer Overflow Matthew Murphy (Jul 12)
- <Possible follow-ups>
- Re: MFC ISAPI Framework Buffer Overflow Chris Wysopal (Jul 12)