Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability

The following is an exploit provided by NSFocus:

1. Create a file "test.shtml" with following file content:

<!--#include file="AAAA[...]AA"-->

Number of 'A' should be over 2049.

2. Create a directory "a" under Web directory.
Copy "test.shtml" to "a" directory.

3. Request "test.shtml" through web browser:
http://webhost/a/test.shtml

4. IIS would return a blank page which indicates that an overflow has occurred.
Meanwhile the trailing '\0' has overwritten the last byte of saved EBP.

On the contrary, in case that the contained file has a shorter name like
'AA', IIS would return a SSI file '/a/AA' error message when receiving
the request.

Additionally, a remote shell exploit 'jim.c' has been made available by Indigo <indig0@talk21.com>.


 

Privacy Statement
Copyright 2010, SecurityFocus