what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

aspdll.txt

aspdll.txt
Posted Jul 20, 2006
Authored by Brett Moore SA | Site security-assessment.com

A buffer overflow exists in ASP.DLL that can be exploited by creating a .asp file containing a parameter for the include SSI command. Software affected include IIS 5.0, 5.1, and 6.0.

tags | advisory, overflow, asp
SHA-256 | 15106fae66f1a64dd28018a095af362d82f101972557818a0a6c8f94dfd36787

aspdll.txt

Change Mirror Download
========================================================================
= ASP.DLL Include File Buffer Overflow
=
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx
=
= Affected Software:
= IIS 5.0
= IIS 5.1
= IIS 6.0
=
= Public disclosure on July 19, 2006
========================================================================

== Overview ==

A buffer overflow exists in ASP.DLL that can be exploited by creating
a .asp file containing a parameter for the include SSI command.

<!-- #include file="<long buffer>" -->OVERFLOWDATA

The include function in ASP.DLL, checks if the parameter is longer than
260 bytes. If it is then an error is caused, but before causing the
error
a miscalculated copy is done.

mov edi, [ebp+var_228] ; load length of parameter
cmp edi, 104h ; check if larger than 260 bytes
jbe short loc_
mov esi, [ebp+var_22C] ; load address of parameter
lea eax, [edi+esi-104h] ; load eax with the address of the last
; 260 bytes of the parameter
; (length of string+source of string)-
104h
lea edx, [ebp+var_211] ; load edx with address on stack
sub edx, eax ;
mov cl, [eax] ; \
mov [edx+eax], cl ; do the copy
inc eax ; and overflow the stack
test cl, cl ; /
jnz short loc_7096D1F3 ;

Funnily enough, the solution was to remove this copy as the resulting
data was never actually used.

== Exploitation ==

Exploitation requires the ability to upload or somehow create a file
with
a .asp extension in a folder that will allow .asp processing.

Since ASP.DLL usually runs under the IWAM_ account, there is no
privilege
escalation through this vulnerability. It is however possible to bypass
any security restrictions enforced by ASP. It also allows for the
execution of APIS that have no ASP equivalent.

== Solutions ==

- Install the vendor supplied patch.

== Credit ==

Discovered and advised to Microsoft February, 2006 by Brett Moore of
Security-Assessment.com

Same Bug Different App
http://www.security-assessment.com/Presentations/SBDA_Ruxcon_2005.ppt

In memory of;
http://www.nsfocus.com/english/homepage/research/0305.htm
and
http://www.eeye.com/html/research/advisories/AD20001003.html

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors
products.

--
This message has been scanned for viruses and
dangerous content by Bizo Email Filter, and is
believed to be clean.

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close