Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)

[Lincoln Yeoh <lyeoh () POP JARING MY>]

At 01:15 PM 01-05-2001 -0700, Marc Maiffret wrote:
> The Fallout:
> As with our first remote SYSTEM level exploit for IIS 4.0 2 years ago, the
> fallout from this second IIS remote overflow is also rather large. Once
> again it does not matter what kind of security systems you have in place,
> Firewalls, IDS's, etc.. because all of those systems can be bypassed and
> your web server CAN be broken into via this vulnerability. To quote our last

Actually these attacks (and others) may not work if you have a web proxy
that allows clients to only access urls that appear in the protected
website's content plus defined entry point urls. The good old "default
deny" concept.

You only can ask for what the protected server says there is, or is ok.

I'm glossing over the details of course, but basically the proxy looks at
the protected webserver's content it is serving up, and only that which is
explicitly specified by the content is allowed. For example fields in forms
are limited to that specified by their SIZE parameter, and unspecified
parameters never get passed to the target url.

With statefulness active it's impossible for people to use legit bookmarks
to jump arbitrarily anywhere on a protected site. No deep linking unless
specifically allowed ;).

This method also works for ftp ( amongst other things), but it's a pain for
people to have to do cd, dir, cd, dir before downloading ;) (so turn off
statefulness!).

A significant amount of performance would be lost, but this could be offset
somewhat by caching results where possible, and using the proxy on sites
where security is more important than performance. This is where the
gigahertz cpus on DDR RAM come in I guess :).

Cheerio,
Link.