RE: ASLabs-2001-01: Multiple Security Problems in eEye SecureIIS

["Marc Maiffret" <marc () eeye com>]

You will find our response and fix information below. To download the latest
version of SecureIIS (v.1.0.4) then visit the SecureIIS website at,
http://www.eeye.com/secureiis/

<snip>
|Vendor: eEye (http://www.eEye.com)
|Product: SecureIIS
|(http://www.eeye.com/html/Products/SecureIIS/index.html)
<snip>
|Product description (from
|http://www.eeye.com/html/Products/SecureIIS/index.html):
|SecureIIS protects Microsoft IIS (Internet Information Services) Web
|servers from known and unknown attacks. SecureIIS wraps around IIS and
|works within it, verifying and analyzing incoming and outgoing Web
|server data for any possible security breaches. It combines the best
|features of Intrusion Detection Systems and Conventional Network
|Firewalls all into one, and it is custom tailored to your Web server.
|
|Release Date: May 17th, 2001.
|
|Authors: C-3P0 and R2-D2.
<snip>
|1. Keyword checking - SecureIIS promises "By checking for common
<snip>
| GET /whatever.script?user=%41DMIN HTTP/1.0
|And:
| POST /whatever.script HTTP/1.0
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 10
|
| user=ADMIN

We have updated SecureIIS to properly handle various web encoding methods
including unicode and hex (%) style encoding.

We have also updated SecureIIS to perform keyword checking on POST data.

|2. Directory traversal - SecureIIS promises "In certain situations,
<snip>
| GET /whatever.script?file=/%2e%2e/%2e%2e/boot.ini HTTP/1.0
|And:
| POST /whatever.script HTTP/1.0
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 20
|
| page=/../../boot.ini

The directory traversal checking bug described above was fixed when the
keyword and post bugs were fixed. See section 1.

|3. Buffer Overflows - For HTTP headers, SecureIIS promises (from
<snip>
| GET / HTTP/1.0
| Host: [500 x random a-z charachers]

We have enabled individual header length checking in SecureIIS 1.0.4.

|4. Buffer Overflows in SecureIIS - if the request is large (several

SecureIIS did not suffer from a buffer overflow attack. There were a few
bugs though that might have lead you to believe so. These bugs were actually
fixed in SecureIIS version 1.0.3 which was posted to our website on Thurs.
May 17th. The problem you were seeing was due to some issues with how IIS
itself allocates heap memory.

|Workaround: No workaround is known.

We first found out about this vulnerability from reading an advisory that
was posted (Fri 5/18/2001 10:49AM) by ASLabs (namely C-3P0 and R2-D2) to
various security mailing lists. While we wish they would have contacted us
in advance, we do appreciate bug reports and vulnerability research because
it helps us to create better products. As stated earlier we have since
posted (Sat 5/19/2001 12:27am) a new version of SecureIIS (version 1.0.4)
that fixes the bugs talked about in C-3PO and R2-D2's advisory.

These bugs were valid and therefore were dealt with at a top priority. The
bugs that were posted were most likely to affect third party apps rather
than IIS specific vulnerabilities. Basically this means that registered
users of SecureIIS have been protected from various IIS specific
vulnerabilities (unicode,nsfocus-decodebug,.printer,etc...) from the very
first beta of SecureIIS.

The following is a list of some of the new features/changes in SecureIIS:
Maximum POST Query Length Allowed
Processing of individual header length fields
High Bit Shellcode Protection in POST Data
Full decoding of all query strings (unicode and hex data)
Keyword filtering for POST data
Protect against Directory Traversal Exploits in Query String and POST Data

Once again, being that eEye itself does vulnerability research, we
definitely encourage vulnerability research from other organizations as it
helps to make products more secure. If anyone should find any other related
bugs within our software (SecureIIS, Retina, Iris) then please do not
hesitate to eMail bugs () eeye com or myself so that we can work with you to
fix the bugs ASAP.

Thanks!

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Web Application Firewall