OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Enterprise Overflow

Enterprise Overflow

daniel (neophyteSNICKERS.ORG)
Sun, 12 Sep 1999 00:07:43 -0400

Posted on dark spyrit's behalf...

Our apologies for holding back on this info, we just had a few things to
sort out first.

As is the norm for an ISS advisory, retrieving any useful information is
completely out of the question - after all, the market value of a product
is at stake.
Heaven forbid that the xforce would give the security community real
information, without asking anything in return. I dread the day.

So rather than being duped into downloading the scanner, and still gain no
insight on the vulnerability itself, we at beavuh will share what we know.

An overflow exists in the "Accept" header field, which can be exploited
with any of the common request methods.
e.g:

GET / HTTP/1.0
Accept: (a page or so of data)

The fact that this overflow also affects other request methods rather than
just "GET" leads me to believe that this may not be the same hole the
xforce mentioned.

Hopefully we will receive a reply offering more detailed information, or
at least acknowledge that this is/isn't the same hole.

Be sure to check out the new issue of Phrack, which includes my article on
Win32 overflows.
Everything from location using disassembly techniques, to exploiting the
weakness, through to adding your own code to the binary executable(s) to
prevent the vulnerabilities.
The shellcode spawns a full-blown command prompt on any port you specify,
without relying on downloading external files - which seems to be the
trend with win32 remote exploits.

We may release demonstration code for Enterprise if the need arises.

dark spyrit / Barnaby Jack <dspyritbeavuh.org>

beavuh - bend over and pray.
http://www.beavuh.org

This archive was generated by hypermail 2.0b3 on Sun Sep 12 1999 - 09:33:24 CDT