Home Blog Papers Advisories Alerts Tools Services About eEye.com
eEye Digital Security
Blog PostsBlog Posts
Aug 29
MS07-046 Update Jul 18
Free ePO Vulnerability Scanner May 17
BrightStor Code Execution Zero-Day, BootRoot, & Versa Apr 13
Zero-Day Alert: Microsoft DNS RPC
Published AdvisoriesPublished Advisories
Severity: HIGHNov 20
BitDefender Online Scanner 8 Double Decode Heap Overflow
Severity: HIGHNov 15
Multiple Vulnerabilities In .FLAC File Format and Various Media Applications

Severity: HIGHOct 11
CA BrightStor ARCserve Backup Server Arbitrary Pointer Dereference


Upcoming AdvisoriesUpcoming Advisories
Severity: HIGHNov 15
Linksys

Severity: HIGHOct 3
CA BrightStor Arcserve Backup Server Service Disruption

eEye Research Logo Sign Up for Vulnerability Assessment News
Advisories | Published Advisories | AD20020612

Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow

Release Date:
June 12, 2002

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Systems Affected:
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0

Overview:
A vulnerability in transfer chunking, in combination with the processing of HTR request sessions can be exploited to remotely execute code of an attackers choice on the vulnerable machine. By sending a carefully crafted session, an attacker can overwrite a section of the heap. Data structures in the overwritten heap can be manipulated to move attacker-supplied data to attacker supplied memory addresses, thereby altering the flow of execution into an attacker supplied payload.

This is a very serious vulnerability and eEye suggests that administrators install the Microsoft supplied patch as soon as possible.

The following example will show the vulnerable condition. The dllhost.exe child process will silently die because the developers have replaced the default exception filter. So if you want to examine this closer, load a debugger up on the dllhost child process before you send this example session over the wire.

POST /EEYE.htr HTTP/1.1
Host: 0day.big5.com
Transfer-Encoding: chunked

20
XXXXXXXXXXXXXXXXXXXXXXXXEEYE2002
0
[enter]
[enter]

Technical Details:
Technical Description:
The example session above overwrites a section of the heap that contains data structures related to the memory management system. By manipulating the content of these structures we can overwrite an arbitrary 4 bytes of memory with an attacker supplied address.

While many may believe that the risk for these types of vulnerabilities is fairly low due to the fact that addressing is dynamic and brute force techniques would need to be use in an attack, eEye strongly disagrees. This premise is false as successful exploitation can be made with one attempt, across dll versions. An attacker can overwrite static global variables, stored function pointers, process management structures, memory management structures, or any number of data types that will allow him to gain control of the target application in one session.

SecureIIS Web Server Protection for Microsoft IIS
It should be noted that clients using any version of SecureIIS from eEye Digital Security are secure from this vulnerability. This vulnerability was discovered by the eEye team while testing a new version of SecureIIS to help further its protection abilities from similar classes of attack. To learn more visit http://www.eeye.com/SecureIIS

Vendor Status:
Vendor Status:
Microsoft has released a security bulletin and patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-028.asp

Beyond installing the Microsoft security patch it is also recommend to disable the .htr ISAPI extension if you have not already done so. Microsoft's security advisory references more information on the steps of how to disable the .htr ISAPI extension.

Credit:
Riley Hassell

Greetings:
Caesar, K2, Dark Spyrit, Solar Designer, Joey, Halvar, Gera,
Scut, Ilfak Guilfanov. And last but not least, Kasia and Jenn ;) and as always, www.securityfocus.com.

Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
 Privacy l Legal
Copyright © 1998-2008 eEye Digital Security