Penetration Testing mailing list archives

Re: ASP code testing

From: "Bojo" <bojo_alex () yahoo com>
Date: Mon, 19 Nov 2001 00:38:08 +0200

I am ASP programmer. I don't think that some buffer overflow can occur in
your case because scripting engine checks bounds of data types.
In your case somewhere is line of code like:
v = Request.QueryString("id")
i = CInt(v)
First - in this case your ids are limited to 32767 - check your data that if
this is possible.
Solution is to replace this with: i = CLng(v)  (hope all is clear here)
But I have seen this and you must check for code like this:
v = Request.QueryString("id")
Query = "Select * from table where table_id = " & v
ExecQuery(Query)
....
That is - there is no cast to integer and as parameter can be passed
anything and it is concatenated directly to Query.
You can execute something like
http://www.asite.com/show/showsomething.asp?ID=32767;Update+Salary+Set+value
+=+value*2+Where+name='Dan'
the semicolumn (;) is terminator for batch querys in sql server and ADO 2.5
and later will execute this correctly ;)


----- Original Message -----
From: "Dan Richardson" <dan.richardson () paradise net nz>
To: <pen-test () securityfocus com>
Sent: Sunday, November 18, 2001 1:00 AM
Subject: ASP code testing

Regards
Bojidiar Alexandrov

I'm currently testing some ASP code on an e-commerce site. My question
is could this be used to execute a buffer overflow exploit?

The following URL:

http://www.asite.com/show/showsomething.asp?ID=5

Will retrieve a legitmate item from the database. By playing with the
number a bit-

http://www.asite.com/show/showsomething.asp?ID=32767

Will generate

ADODB.Field error '80020009'

Either BOF or EOF is True, or the current record has been deleted.
Requested operation requires a current record.

But if I bump that number up to 32768 (unsigned integer limit)-

Microsoft VBScript runtime error '800a0006'

Overflow: 'cint'

/show/showsomething.asp, line x


Thanks

Dan



--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus Security Intelligence Alert

(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please

see:

https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

ASP code testing Dan Richardson (Nov 18)
- Re: ASP code testing Bojo (Nov 19)
- Re: ASP code testing Kevin Spett (Nov 19)
- RE: ASP code testing Omar Koudsi (Nov 19)
- <Possible follow-ups>
- Re: ASP code testing rudi carell (Nov 19)