 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Wed, 2 May 2001 12:54:45 -0700 From: Marc Maiffret <marc@EEYE.COM> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Windows 2000 .printer remote overflow proof of concept exploit We have updated our advisory (http://www.eeye.com/html/Research/Advisories/AD20010501.html) to link to a proof of concept exploit for our Windows 2000 .printer ISAPI overflow vulnerability. The proof of concept code, when run against a vulnerable Win2k system, will create a file called www.eEye.com.txt on the root of drive c. If you have a Windows 2000 web server then please install the Microsoft security patch ASAP. This proof of concept exploit is not to be used as a method of testing to see if your vulnerable or not. It has been published as a way to learn more about what is going on with specific technical details pertaining to this flaw. If you have not installed the Microsoft security patch then you are most likely vulnerable and need to patch your system ASAP. As a side note... eEye Digital Security was contacted by a few of the rather lage IDS vendors yesterday looking to get a copy of the example exploit so that they could create a signature for their IDS. Instead of replying to each of them individualy we thought we would do so here and that way other IDS vendors will have the "heads up." Creating an IDS signature that looks for a request of GET /NULL.printer HTTP/1.0\nHost: eeyeoverflowstring\n\n is not going to really do much for you. While you might catch our specific example exploit you will miss any other exploits that have been developed and are "in the wild." In order to correctly monitor for people launching attacks against the .printer ISAPI filter you should be looking for any get requests of .printer and a large (you'll have to track down the buffer range yourself, around 420) Host: header. That is one of the ways that SecureIIS is able to generically stop the attack (simply speaking of course). Anyways, have fun reading and learning from the example exploit. Ryan Permeh (ryan@eeye.com) has done a great job with it. Also... There has been some talk on various mailing lists about methods of detecting if the .printer ISAPI filter is installed on a remote server. Now some people suggested opening IE and then typing in http://www.example.com/anything.printer which should then return an error like "Error in web printer install." However by default IE shows "friendly" HTTP error messages and is not going to show you the ISAPI error message. So either turn off friendly HTTP error messages or use telnet (recommended). Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Web Application Firewall
| |||||||||||||||||||||