RE: Webserver problems

[kquest () toplayer com]

The event data shows that the SAS ISAPI 
module is processing the request in a thread 
from the IIS Asynchronous Thread Queue pool 
as oppose to doing it in its own thread 
(like ASP does). 

It's hard to know what is going on without
knowing the IIS version, but it seems like
the overflow occurs when the response is
being encrypted. After some "magic" stuff
is done in the ATQ thread, the SAS module
is called (through WAM, Web Application Manager,
which the interface IIS uses to communicate
with ISAPI applications). The SAS ISAPI
module ends up calling the WriteFile()
function passing the response back
to the IIS server, which, in turn,
calls the SSL module to encrypt the
reply and send it to the client. It seems like
the server dies in the EncryptData() function
while it's doing a string copy (rep movsb).
It's possible that i'm totally off... because
I'm probably using a different IIS version.

Kyle

-----Original Message-----
From: Kyle Quest x 142 
Sent: Monday, September 13, 2004 1:06 PM
To: webappsec () securityfocus com
Subject: RE: Webserver problems



It seems like we are dealing with an https request (that's why
sspifilt is involved) to SAS, some web commerce IIS server 
extension I personally no nothing about (which extends IIS
similar to the way PHP ISAPI module does). I'm not sure 
what that SAS IIS server extension is. It could be 
"SAS BI Web Services" or it could be something else.
Does anybody have any idea how SAS fit in this picture?

What version of IIS is it anyways?

Kyle

-----Original Message-----
From: Mike Kalinovich [mailto:polaryzed () gmail com]
Sent: Friday, September 10, 2004 10:42 AM
To: webappsec () securityfocus com
Subject: Re: Webserver problems


The sspifilt is built in to all IIS servers.  It's the isapi filter
that controls SSL, and probably much more than I know right now.  It
also has quite a few exploits available for it.

http://www.unital.com/research/ms_ssl_pct.pdf

http://www.securityfocus.com/bid/10115

Windows logs are generally quite useless when it comes to tracking
down specifics about who broke into what (most people who break in on
purpose don't leave logs for you to find).

I would highly recommend you image the drive first, rebuild the server
(since once you're compromised, you have no idea what else has been
installed or done to it), then install URLScan and fully patch your
system.  As well a software firewall like Sygate would definitely help
protect.  (or if you have hardware firewalls, get them tuned properly)

--
Mike Kalinovich



On Fri, 10 Sep 2004 09:30:20 +0100, Dinis Cruz <dinis () ddplus net> wrote:
> Some questions to help to understand your issue better
>
> - What do you mean by malware? What exactly have you found?
> - What do the other windows logs say?
> - Which ISAPI is that?
> - Is that ISAPI included in all your webservers?
>
> Dinis
>
> > -----Original Message-----
> > From: John Fisher [mailto:fisherjc () ameritech net]
> > Sent: 09 September 2004 03:33
> > To: webappsec () securityfocus com
> > Subject: Webserver problems
> >
> >
> >
> > It appears that one of our web servers was compromised, malware was
> > found on the server. Taken from the event log, the event below suggests
> > that a buffer overflow was their 1st attack. Has anyone else seen
> > anything like this and am I right in thinking this suggests a buffer
> > overflow.
> >
> > Thanks
> >
> > John Fisher
> >
> > Event Type:   Error
> > Event Source: WAM
> > Event Category:       None
> > Event ID:     204
> > Date:         8/24/2004
> > Time:         2:12:26 PM
> > User:         N/A
> > Computer:     webserver1
> > Description:
> > The HTTP server encountered an unhandled exception while processing the
> > ISAPI Application '
> > sspifilt!TerminateFilter + 0x9C8
> > sspifilt!HttpFilterProc + 0x1FF
> > w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
> > *,unsigned long,int) + 0x2006
> > w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
> > *,unsigned long,int) + 0x2BAB
> > w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long
> > *,unsigned long) + 0x71
> > w3svc!_WamDictatorDumpInfo@8 + 0x2F8B
> > wam + 0x8459
> > sasweb + 0x1A541
> > sasweb!HttpExtensionProc + 0x1E6A
> > wam!DllCanUnloadNow + 0x636
> > wam!DllCanUnloadNow + 0x20C
> > w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2
> > w3svc!STR::Copy(char const *,unsigned long) + 0xC71
> > w3svc!STR::Copy(char const *,unsigned long) + 0xB49
> > w3svc!STR::Copy(char const *,unsigned long) + 0x9A2
> > w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) +
> > 0x642
> > w3svc!HTTP_HEADERS::Reset(void) + 0x1CA
> > w3svc!STR::Copy(char const *,unsigned long) + 0x16EF
> > ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A
> >  + 0x69FEF168
> > '.
> > For additional information specific to this message please visit the
> > Microsoft Online Support site located at:
> > http://www.microsoft.com/contentredirect.asp.