WebApp Sec mailing list archives
RE: Webserver problems
From: kquest () toplayer com
Date: Mon, 13 Sep 2004 16:27:09 -0400
The event data shows that the SAS ISAPI module is processing the request in a thread from the IIS Asynchronous Thread Queue pool as oppose to doing it in its own thread (like ASP does). It's hard to know what is going on without knowing the IIS version, but it seems like the overflow occurs when the response is being encrypted. After some "magic" stuff is done in the ATQ thread, the SAS module is called (through WAM, Web Application Manager, which the interface IIS uses to communicate with ISAPI applications). The SAS ISAPI module ends up calling the WriteFile() function passing the response back to the IIS server, which, in turn, calls the SSL module to encrypt the reply and send it to the client. It seems like the server dies in the EncryptData() function while it's doing a string copy (rep movsb). It's possible that i'm totally off... because I'm probably using a different IIS version. Kyle -----Original Message----- From: Kyle Quest x 142 Sent: Monday, September 13, 2004 1:06 PM To: webappsec () securityfocus com Subject: RE: Webserver problems It seems like we are dealing with an https request (that's why sspifilt is involved) to SAS, some web commerce IIS server extension I personally no nothing about (which extends IIS similar to the way PHP ISAPI module does). I'm not sure what that SAS IIS server extension is. It could be "SAS BI Web Services" or it could be something else. Does anybody have any idea how SAS fit in this picture? What version of IIS is it anyways? Kyle -----Original Message----- From: Mike Kalinovich [mailto:polaryzed () gmail com] Sent: Friday, September 10, 2004 10:42 AM To: webappsec () securityfocus com Subject: Re: Webserver problems The sspifilt is built in to all IIS servers. It's the isapi filter that controls SSL, and probably much more than I know right now. It also has quite a few exploits available for it. http://www.unital.com/research/ms_ssl_pct.pdf http://www.securityfocus.com/bid/10115 Windows logs are generally quite useless when it comes to tracking down specifics about who broke into what (most people who break in on purpose don't leave logs for you to find). I would highly recommend you image the drive first, rebuild the server (since once you're compromised, you have no idea what else has been installed or done to it), then install URLScan and fully patch your system. As well a software firewall like Sygate would definitely help protect. (or if you have hardware firewalls, get them tuned properly) -- Mike Kalinovich On Fri, 10 Sep 2004 09:30:20 +0100, Dinis Cruz <dinis () ddplus net> wrote:
Some questions to help to understand your issue better - What do you mean by malware? What exactly have you found? - What do the other windows logs say? - Which ISAPI is that? - Is that ISAPI included in all your webservers? Dinis-----Original Message----- From: John Fisher [mailto:fisherjc () ameritech net] Sent: 09 September 2004 03:33 To: webappsec () securityfocus com Subject: Webserver problems It appears that one of our web servers was compromised, malware was found on the server. Taken from the event log, the event below suggests that a buffer overflow was their 1st attack. Has anyone else seen anything like this and am I right in thinking this suggests a buffer overflow. Thanks John Fisher Event Type: Error Event Source: WAM Event Category: None Event ID: 204 Date: 8/24/2004 Time: 2:12:26 PM User: N/A Computer: webserver1 Description: The HTTP server encountered an unhandled exception while processing the ISAPI Application ' sspifilt!TerminateFilter + 0x9C8 sspifilt!HttpFilterProc + 0x1FF w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR *,unsigned long,int) + 0x2006 w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR *,unsigned long,int) + 0x2BAB w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long *,unsigned long) + 0x71 w3svc!_WamDictatorDumpInfo@8 + 0x2F8B wam + 0x8459 sasweb + 0x1A541 sasweb!HttpExtensionProc + 0x1E6A wam!DllCanUnloadNow + 0x636 wam!DllCanUnloadNow + 0x20C w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2 w3svc!STR::Copy(char const *,unsigned long) + 0xC71 w3svc!STR::Copy(char const *,unsigned long) + 0xB49 w3svc!STR::Copy(char const *,unsigned long) + 0x9A2 w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) + 0x642 w3svc!HTTP_HEADERS::Reset(void) + 0x1CA w3svc!STR::Copy(char const *,unsigned long) + 0x16EF ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A + 0x69FEF168 '. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
Current thread:
- RE: Webserver problems kquest (Sep 13)
- <Possible follow-ups>
- RE: Webserver problems kquest (Sep 14)