OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability

From: Renaud Deraison (deraisonnessus.org)
Date: Tue Mar 18 2003 - 18:30:04 CST


On Tue, Mar 18, 2003 at 02:38:45PM -0800, Royans Tharakan wrote:
> Did any one try this out ?

Yes. See the comments at the top of the plugin for the tests and their
results.

> Someone said that OWA is not at risk so we are not patching it for webdav.
> I tried using this code (wrote again perl) but it doesn't work against any
> SP3 server.

Maybe you did not rewrite it properly - if you're not familiar with
nasl, i'd not be surprised.

The trick is simply to send a long argument to any web-dav related
command. Therefore SEARCH /AAAAA[...]AAA HTTP/1.1 should work.

Be sure to have the "too long buffer" be made of 65535 chars _exactly_.

                                -- Renaud

--
Renaud Deraison
The Nessus Project
http://www.nessus.org

----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html