Re: Microsoft BackOffice component: adredir.asp

[lcamtuf () DIONE IDS PL (Michal Zalewski)]

On Sun, 4 Jun 2000, Microsoft Security Response Center wrote:

> *     There was no denial of service.  When we sent a sufficiently long
> bogus URL to Adredir.asp, the server did drop the connection.  This
> was an appropriate response, since the URL was invalid.

Hm, but other BO scripts usually won't drop connection silently with eg. 1
kb long parameter, returning error message instead? I can't see any
URL validation scheme, as well - almost everything is passed thru.

So, my question is: why script silently drops connection (without any
error message or anything else) with eg. 1 kB of input data - it's rather
unique behaviour, and why some values (around 500-510 bytes) causes
incomplete script output to be sent? Hmmm...

Also, with really long url= parameter (I mean, over 1.5 kB) server quite
often won't drop specific connection, but keep it alive, without sending
any response for this http request.

> *     There was no opportunity to run arbitrary code.  No matter how long
> the URL was, it did not overwrite either the stack or the heap.  We
> double-checked our results by doing a source code review, and found
> that there are no fixed-length buffers at all in Adredir.asp, and the
> code appears to properly validate all inputs before using them.

It could be also a problem with IIS - does it properly handle long HTTP
headers returned by scripts? adredir.asp returns long 'Location: ' header.
But there is a problem, IMHO.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=