Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13534
HistoryJul 22, 2006 - 12:00 a.m.

ASP.DLL Include File Buffer Overflow

2006-07-2200:00:00
vulners.com
7
JSON

========================================================================

= ASP.DLL Include File Buffer Overflow

= MS Bulletin posted:
= http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx

= Affected Software:
= IIS 5.0
= IIS 5.1
= IIS 6.0

= Public disclosure on July 19, 2006

== Overview ==

A buffer overflow exists in ASP.DLL that can be exploited by creating
a .asp file containing a parameter for the include SSI command.

<!-- #include file="<long buffer>" –>OVERFLOWDATA

The include function in ASP.DLL, checks if the parameter is longer than
260 bytes. If it is then an error is caused, but before causing the
error
a miscalculated copy is done.

mov edi, [ebp+var_228] ; load length of parameter
cmp edi, 104h ; check if larger than 260 bytes
jbe short loc_
mov esi, [ebp+var_22C] ; load address of parameter
lea eax, [edi+esi-104h] ; load eax with the address of the last
; 260 bytes of the parameter
; (length of string+source of string)-
104h
lea edx, [ebp+var_211] ; load edx with address on stack
sub edx, eax ;
mov cl, [eax] ; mov [edx+eax], cl ; do the copy
inc eax ; and overflow the stack
test cl, cl ; /
jnz short loc_7096D1F3 ;

Funnily enough, the solution was to remove this copy as the resulting
data was never actually used.

== Exploitation ==

Exploitation requires the ability to upload or somehow create a file
with
a .asp extension in a folder that will allow .asp processing.

Since ASP.DLL usually runs under the IWAM_ account, there is no
privilege
escalation through this vulnerability. It is however possible to bypass
any security restrictions enforced by ASP. It also allows for the
execution of APIS that have no ASP equivalent.

== Solutions ==

  • Install the vendor supplied patch.

== Credit ==

Discovered and advised to Microsoft February, 2006 by Brett Moore of
Security-Assessment.com

Same Bug Different App
http://www.security-assessment.com/Presentations/SBDA_Ruxcon_2005.ppt

In memory of;
http://www.nsfocus.com/english/homepage/research/0305.htm
and
http://www.eeye.com/html/research/advisories/AD20001003.html

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors
products.

This message has been scanned for viruses and

dangerous content by Bizo Email Filter, and is

believed to be clean.

JSON