OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marc Maiffret (marceeye.com)
Date: Sat May 19 2001 - 02:43:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    You will find our response and fix information below. To download the latest
    version of SecureIIS (v.1.0.4) then visit the SecureIIS website at,
    http://www.eeye.com/secureiis/

    <snip>
    |Vendor: eEye (http://www.eEye.com)
    |Product: SecureIIS
    |(http://www.eeye.com/html/Products/SecureIIS/index.html)
    <snip>
    |Product description (from
    |http://www.eeye.com/html/Products/SecureIIS/index.html):
    |SecureIIS protects Microsoft IIS (Internet Information Services) Web
    |servers from known and unknown attacks. SecureIIS wraps around IIS and
    |works within it, verifying and analyzing incoming and outgoing Web
    |server data for any possible security breaches. It combines the best
    |features of Intrusion Detection Systems and Conventional Network
    |Firewalls all into one, and it is custom tailored to your Web server.
    |
    |Release Date: May 17th, 2001.
    |
    |Authors: C-3P0 and R2-D2.
    <snip>
    |1. Keyword checking - SecureIIS promises "By checking for common
    <snip>
    | GET /whatever.script?user=%41DMIN HTTP/1.0
    |And:
    | POST /whatever.script HTTP/1.0
    | Content-Type: application/x-www-form-urlencoded
    | Content-Length: 10
    |
    | user=ADMIN

    We have updated SecureIIS to properly handle various web encoding methods
    including unicode and hex (%) style encoding.

    We have also updated SecureIIS to perform keyword checking on POST data.

    |2. Directory traversal - SecureIIS promises "In certain situations,
    <snip>
    | GET /whatever.script?file=/%2e%2e/%2e%2e/boot.ini HTTP/1.0
    |And:
    | POST /whatever.script HTTP/1.0
    | Content-Type: application/x-www-form-urlencoded
    | Content-Length: 20
    |
    | page=/../../boot.ini

    The directory traversal checking bug described above was fixed when the
    keyword and post bugs were fixed. See section 1.

    |3. Buffer Overflows - For HTTP headers, SecureIIS promises (from
    <snip>
    | GET / HTTP/1.0
    | Host: [500 x random a-z charachers]

    We have enabled individual header length checking in SecureIIS 1.0.4.

    |4. Buffer Overflows in SecureIIS - if the request is large (several

    SecureIIS did not suffer from a buffer overflow attack. There were a few
    bugs though that might have lead you to believe so. These bugs were actually
    fixed in SecureIIS version 1.0.3 which was posted to our website on Thurs.
    May 17th. The problem you were seeing was due to some issues with how IIS
    itself allocates heap memory.

    |Workaround: No workaround is known.

    We first found out about this vulnerability from reading an advisory that
    was posted (Fri 5/18/2001 10:49AM) by ASLabs (namely C-3P0 and R2-D2) to
    various security mailing lists. While we wish they would have contacted us
    in advance, we do appreciate bug reports and vulnerability research because
    it helps us to create better products. As stated earlier we have since
    posted (Sat 5/19/2001 12:27am) a new version of SecureIIS (version 1.0.4)
    that fixes the bugs talked about in C-3PO and R2-D2's advisory.

    These bugs were valid and therefore were dealt with at a top priority. The
    bugs that were posted were most likely to affect third party apps rather
    than IIS specific vulnerabilities. Basically this means that registered
    users of SecureIIS have been protected from various IIS specific
    vulnerabilities (unicode,nsfocus-decodebug,.printer,etc...) from the very
    first beta of SecureIIS.

    The following is a list of some of the new features/changes in SecureIIS:
    Maximum POST Query Length Allowed
    Processing of individual header length fields
    High Bit Shellcode Protection in POST Data
    Full decoding of all query strings (unicode and hex data)
    Keyword filtering for POST data
    Protect against Directory Traversal Exploits in Query String and POST Data

    Once again, being that eEye itself does vulnerability research, we
    definitely encourage vulnerability research from other organizations as it
    helps to make products more secure. If anyone should find any other related
    bugs within our software (SecureIIS, Retina, Iris) then please do not
    hesitate to eMail bugseeye.com or myself so that we can work with you to
    fix the bugs ASAP.

    Thanks!

    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Web Application Firewall