|
Home > Archive > IIS Server Security > March 2004 > buffer overrun attack
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
buffer overrun attack
|
|
|
| Hi..
We've had a number of different IIS services get attacked from bunches of different isp addresses with what appear to be buffer overrun attacks with urls of the form
SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
(in the interests of brevity, I didn't include all of it, but it's a long run of A's plus random junk). The urls, at least what we see in the IIS logs, do not contain a lot of binary data and for the most part don't appear to impact our servers, but we a
re kind of curious what exploit they're trying to make.
Thanks
-mark
| |
| Wei-Dong XU [MSFT] 2004-03-24, 9:34 pm |
| Hi Mark,
Buffer overrun is a very dangerous security threat to your IIS and windows server. To simply speaking, buffer overrun means the memory pointer has
been pointed to un-controlled position, this means the attacker can access the un-permitted memory address, then he could make the execution of
the thread to jumpt to other memory address for running some malicious application to control the whole box or down the IIS or anything he'd like to
do. For example, if one point is pointing to one character string, if the customer moves the point over the end boundary of the string, the point now
is located at one un-controlled position of the system, then he could feel free to do some in your box. This platform SDK article and the kb 811114
introduce more information for you on this:
Avoiding Buffer Overruns
http://msdn.microsoft.com/library/d...er_overruns.asp
MS03-018: May 2003 Cumulative Patch for Internet Information Services (IIS)
http://support.microsoft.com/?id=811114
Furthermore, for security development, Michael Howard and Keith Brown have written one wonderful article on this:
Defend Your Code with Top Ten Security Tips Every Developer Must Know
http://msdn.microsoft.com/msdnmag/i...ps/default.aspx
In addition, please update your box via windows update to install the security patches and other updates which will strengthen your box.
Please feel free to let me know if you have any further questions.
Best Regards,
Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Karl Levinson [x y] mvp 2004-03-25, 6:35 am |
| I think perhaps he was asking what exact exploit.
Here is a description of an attack against the WebDAV / NTDLL vulnerability
from February 2003:
http://archives.neohapsis.com/archi...03-03/0109.html
I got this from a Google search of the term SEARCH-/AAAAA
"Wei-Dong XU [MSFT]" <v-wdxu@online.microsoft.com> wrote in message
news:bC9POzgEEHA.756@cpmsftngxa06.phx.gbl...
> Hi Mark,
>
> Buffer overrun is a very dangerous security threat to your IIS and windows
server. To simply speaking, buffer overrun means the memory pointer has
> been pointed to un-controlled position, this means the attacker can access
the un-permitted memory address, then he could make the execution of
> the thread to jumpt to other memory address for running some malicious
application to control the whole box or down the IIS or anything he'd like
to
> do. For example, if one point is pointing to one character string, if the
customer moves the point over the end boundary of the string, the point now
> is located at one un-controlled position of the system, then he could feel
free to do some in your box. This platform SDK article and the kb 811114
> introduce more information for you on this:
> Avoiding Buffer Overruns
>
http://msdn.microsoft.com/library/d...-us/security/se
curity/avoiding_buffer_overruns.asp
>
> MS03-018: May 2003 Cumulative Patch for Internet Information Services
(IIS)
> http://support.microsoft.com/?id=811114
>
> Furthermore, for security development, Michael Howard and Keith Brown have
written one wonderful article on this:
> Defend Your Code with Top Ten Security Tips Every Developer Must Know
> http://msdn.microsoft.com/msdnmag/i...ps/default.aspx
>
> In addition, please update your box via windows update to install the
security patches and other updates which will strengthen your box.
>
> Please feel free to let me know if you have any further questions.
>
> Best Regards,
> Wei-Dong Xu
> Microsoft Product Support Services
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
| |
|
| Thanks, Karl... Guess I should have Googled before I posted 
-mark
| |
| Wei-Dong XU [MSFT] 2004-03-25, 9:35 pm |
| Hi Mark,
Sorry for my mis-understanding on your issue!
If you want to know what exact exploit by the buffer overrun attack, you can check the log to see whether there is any machine code after the
"AAA". If there is some there, this is the key for you to analyse the attack, for these codes is used to perform some harmful operations in your box. If
there is no any found, so far as I know, the attacker just wants to down your box.
Please feel free to let me know if you have any further questions.
Best Regards,
Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Karl Levinson [x y] mvp 2004-03-26, 11:49 am |
| Well, I was glad you posted. I noticed that a second person in the
Incidents mailing list at www.securityfocus.com posted a similar but
different Search string. I'm guessing that maybe we're seeing this new
increase because of the Agobot / Gaobot Trojan which can spread via the
NTDLL MS03-007 vulnerability. New Agobot / Phatbot / Polybot variants seem
to be discovered at a rate of several per day lately.
"Mark" <msdnonline@lycos-inc.com> wrote in message
news:B42A2F5A-0425-4909-A75C-715D1F98A09F@microsoft.com...
> Thanks, Karl... Guess I should have Googled before I posted
>
> -mark
|
|
|
|
|