MFC ISAPI Framework Buffer Overflow

["Matthew Murphy" <mattmurphy () kc rr com>]

Systems Affected: All ISAs written using MFC ISAPI framework
Issue: User-input length values can result in a buffer overflow.
Risk: Critical
Scope: Remote Server Compromise

The MFC ISAPI framework is widely used to build ISAs that
run on a multitude of web servers.

It has been discovered that the framework relies on user-input
values for request member lengths, making it prone to a buffer
overrun attack.

When I downloaded my copy of the BadBlue PWS and began
to test its bizarre "ext.dll" module for vulnerabilities, I found that
a specially malformed POST request:

POST /ext.dll HTTP/1.0
Content-Length: 1

AAAAAAAAAAAA[...]

could cause a buffer overflow in the server.  Further study of the
vulnerability by me revealed that the server crashed on this
request inside mfc42.dll.  This crash occured when the DLL
accessed an overwritten pointer.

Although I thought this odd, I did not study it any more until I
was informed by BadBlue support that the overrun was indeed
inside of mfc42.dll.

It appears that the MFC library is accepting parameters to
indicate the length of various members, including the length of
POST entities.

If this input is not explicitly verified by the server, a buffer
overrun can occur during the execution of the ISAPI, and
this can either crash the server or a separate worker process
(depending on vendor/configuration)

SecurityFocus: BID 5188 ("Working Resources BadBlue
ISAPI Denial of Service Vulnerability") is one particular
instance of this exploit.  The exploit code above is sufficient
to exploit BID 5188.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown