Microsoft BackOffice component: adredir.asp

[lcamtuf () TPI PL (Michal Zalewski)]

Bkgrnd: adredir.asp is commonly used component of IIS-based commercial
sites, used to handle ad banners. Altavista dumps pretty impressive list
of sites using it. Usually, this script lives in subdirectory on main IIS
server, or on dedicated ad server - you could easily obtain it's location
by inspecting banner code... adredir.asp is often renamed to
'redirect.asp' or so, but quite popular.

This BO component (the first and only I'm going to check - responsible web
admins shouldn't use IIS+ASP at all, choosing more secure solutions, like
Apache+SSI or even Apache+IIS, IMHO) has buffer overflow. It can be
exploited by sending request like:

GET /place_it_lives_in/adredir.asp?url=(more than +/- 500 bytes)

By choosing something around 500-510 bytes (depending on directory name
length), you'll notice first change - server will drop connection after
returning '302 Moved' http header. Normally, it prints these headers, and
then some html code as well: <body><h1>Object Moved</h1>This object may be
found <a HREF="AAAA.... Probably this HTML is rendered into small text
buffer, and script crashes while trying to assemble it.

With approx 1000 bytes of junk, script will die without even displaying
headers. Funny. And exploitable, I guess. I have no idea about symptoms on
NT machine, probably not much, at least it not crashes (wow, uncommon!).

Have a good day. Someone might want to check if I'm right, but I can't
imagine it might be something else than overflow.

Btw. OAS (Oracle Application Server) / OWL (Oracle Web Listener) users
shouldn't feel safe. More details soon.

Standard disclaimer applies. Yeah, yeah. Hi to: b0f, lam3rz, HERT, teso
and other people.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=