[15205] in bugtraq
Re: Microsoft BackOffice component: adredir.asp
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Mon Jun 5 00:00:48 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006031640370.4295-100000@dione.ids.pl>
Date: Sat, 3 Jun 2000 16:47:53 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Microsoft Security Response Center <secure@microsoft.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <D1A11CCE78ADD111A35500805FD43F58080ADCA9@RED-MSG-04>
On Sun, 4 Jun 2000, Microsoft Security Response Center wrote:
> * There was no denial of service. When we sent a sufficiently long
> bogus URL to Adredir.asp, the server did drop the connection. This
> was an appropriate response, since the URL was invalid.
Hm, but other BO scripts usually won't drop connection silently with eg. 1
kb long parameter, returning error message instead? I can't see any
URL validation scheme, as well - almost everything is passed thru.
So, my question is: why script silently drops connection (without any
error message or anything else) with eg. 1 kB of input data - it's rather
unique behaviour, and why some values (around 500-510 bytes) causes
incomplete script output to be sent? Hmmm...
Also, with really long url= parameter (I mean, over 1.5 kB) server quite
often won't drop specific connection, but keep it alive, without sending
any response for this http request.
> * There was no opportunity to run arbitrary code. No matter how long
> the URL was, it did not overwrite either the stack or the heap. We
> double-checked our results by doing a source code review, and found
> that there are no fixed-length buffers at all in Adredir.asp, and the
> code appears to properly validate all inputs before using them.
It could be also a problem with IIS - does it properly handle long HTTP
headers returned by scripts? adredir.asp returns long 'Location: ' header.
But there is a problem, IMHO.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
