Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Re mote SYSTEM Level Access)

From: "Dehner, Ben" <Btd () VALMONT COM>
Date: Wed, 2 May 2001 15:55:18 -0500
I guess I have a philosophical question about the use of a web proxy in this
case.  As the first poster points out, a firewall doesn't protect against
this IIS vulnerability, since everything is using standard HTTP protocol.
However, by adding in a web proxy, you are simply moving your vulnerability
from the web server to the proxy server.  Before a proxy server can apply
any allow/deny rules, it first must also parse the incoming HTTP request,
and is therefore potentially vulnerable to the same type of buffer overflow
as the web server.  If the web proxy server is from same vendor as the web
server, it is not unlikely that it is built on common core code and has the
*same* vulnerability.

Ben Dehner

-----Original Message-----
From: Lincoln Yeoh [mailto:lyeoh () POP JARING MY]
Sent: Tuesday, May 01, 2001 8:58 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability
(Remote SYSTEM Level Access)


At 01:15 PM 01-05-2001 -0700, Marc Maiffret wrote:

The Fallout:
As with our first remote SYSTEM level exploit for IIS 4.0 2 years ago, the
fallout from this second IIS remote overflow is also rather large. Once
again it does not matter what kind of security systems you have in place,
Firewalls, IDS's, etc.. because all of those systems can be bypassed and
your web server CAN be broken into via this vulnerability. To quote our

last

[Lincoln Yeoh]
Actually these attacks (and others) may not work if you have a web proxy
that allows clients to only access urls that appear in the protected
website's content plus defined entry point urls. The good old "default
deny" concept.

You only can ask for what the protected server says there is, or is ok.

I'm glossing over the details of course, but basically the proxy looks at
the protected webserver's content it is serving up, and only that which is
explicitly specified by the content is allowed. For example fields in forms
are limited to that specified by their SIZE parameter, and unspecified
parameters never get passed to the target url.

...
Previous By Date Next
Previous By Thread Next

Current thread: