Re: All versions of Microsoft Internet Information Services, Remote buffer overflow (SYSTEM Level Access)

["Stefan R." <stef () idrci net>]

Hi,

The intriguing part is the relatively small size of the overflow condition
(240 chars without the code insertion).

We checked it against our CHX-I engine and - just as with the previous MS
overflow - we caught the attempt before it reached the web server(including
evasive variations of the overflow) with several fundamental overlapping
rules (size of request method, attempt to access null. objects, etc...).

Does anyone know the smallest overflow condition in a comercial server (web)
?


Regards,

R. Stefan
stef () idrci net
514.331.5858
http://www.idrci.net/default.htm?home=en








----- Original Message -----
From: "Marc Maiffret" <marc () eeye com>
To: "Vuln-Dev" <vuln-dev () securityfocus com>
Sent: Monday, June 18, 2001 7:54 PM
Subject: All versions of Microsoft Internet Information Services, Remote
buffer overflow (SYSTEM Level Access)


> I didnt want to spam you all with the full advisory but I thought you guys
> might like Ryan Permehs note on wide character overflow exploitation. It
is
> in "The Exploit" section of our advisory.
>
> He talks about it in our latest IIS .ida ISAPI overflow advisory:
> http://www.eeye.com/html/Research/Advisories/AD20010618.html
>
> Signed,
> Marc Maiffret
> Chief Hacking Officer
> eEye Digital Security
> T.949.349.9062
> F.949.349.9538
> http://eEye.com/Retina - Network Security Scanner
> http://eEye.com/Iris - Network Traffic Analyzer
> http://eEye.com/SecureIIS - Web Application Firewall