Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: Mon Aug 19 2002 - 10:04:27 CDT
NGSSoftware Insight Security Research Advisory
Name: Multiple Remote Buffer Overruns TOMAHAWKS' STEELARROW
Systems Affected: WinNT, Win2K (Not tested on other platforms)
Severity: High Risk
Category: Remote System Buffer Overrun
Vendor URL: http://www.tomahawk.com
Author: Mark Litchfield (markngssoftware.com)
Date: 19th August 2002
Advisory number: #NISR19082002B
SteelArrow is an easy to use Web Application Server offering the latest in
Internet connectivity and dynamic content development. SteelArrow offers
developers full web application development functionality and fully tested
run time reliability. Steelarrow operates as an extension (on WinNT/2K) to
Microsoft IIS, Apache and Netscape Enterprise servers.
Buffer Overrun 1)
SteelArrow tracks user sessions with cookies in the form of
UserIdent=XXXXXXXXXXXX. By supplying an overly long vlaue in the Cookie
HTTP header a buffer overflow occurs in the Steelarrow Service
(Steelarrow.exe) overwriting a saved return address on the stack.
Steelarrow, by default on Win2k/WinNT is installed as a system service. Any
arbitary code executed using this vulnerability will run with system
Buffer Overrun 2)
By making an overly long request for a .aro (extension used by Steelarrow)
file, an access violation occurs in DLLHOST.EXE (Steelarrow.dll), again
overwriting a saved return address on the stack. Any code will execute in
the security context of the IWAM account.
Buffer Overrun 3)
It's that Chunked Transfer-Encoding issue again. By making a request for a
.aro file an including a specific Transfer-Encoding: Chunked request within
the HTTP request header fields and access violation occurs in DLLHOST.EXE
due to a heap overflow. Again any arbitary code execution will run in the
context of the IWAM account.
NGSSoftware alerted the vendor to these buffer overflow issues on the 1st
2nd and 3rd of April 2002. A fix is available from
A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.
For further information about the scope and effects of buffer overflows,