Bugtraq mailing list archives
Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Wed, 2 May 2001 09:57:42 +0800
At 01:15 PM 01-05-2001 -0700, Marc Maiffret wrote:
The Fallout: As with our first remote SYSTEM level exploit for IIS 4.0 2 years ago, the fallout from this second IIS remote overflow is also rather large. Once again it does not matter what kind of security systems you have in place, Firewalls, IDS's, etc.. because all of those systems can be bypassed and your web server CAN be broken into via this vulnerability. To quote our last
Actually these attacks (and others) may not work if you have a web proxy that allows clients to only access urls that appear in the protected website's content plus defined entry point urls. The good old "default deny" concept. You only can ask for what the protected server says there is, or is ok. I'm glossing over the details of course, but basically the proxy looks at the protected webserver's content it is serving up, and only that which is explicitly specified by the content is allowed. For example fields in forms are limited to that specified by their SIZE parameter, and unspecified parameters never get passed to the target url. With statefulness active it's impossible for people to use legit bookmarks to jump arbitrarily anywhere on a protected site. No deep linking unless specifically allowed ;). This method also works for ftp ( amongst other things), but it's a pain for people to have to do cd, dir, cd, dir before downloading ;) (so turn off statefulness!). A significant amount of performance would be lost, but this could be offset somewhat by caching results where possible, and using the proxy on sites where security is more important than performance. This is where the gigahertz cpus on DDR RAM come in I guess :). Cheerio, Link.
Current thread:
- Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access) Marc Maiffret (May 01)
- Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access) Lincoln Yeoh (May 02)