[Snort-sigs] Re: Microsoft IIS .htr heap overflow

Jason Yates jyates at ...512...
Thu Apr 11 14:54:13 EDT 2002


I guessing this rule in web-iis.rules will pick up any .htr buffer
overflow

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-IIS Overflow-htr access";flags: A+; uricontent:".htr"; nocase;
classtype:web-application-attack; sid:987; rev:3;)


-Jason Yates

On Wed, 2002-04-10 at 18:30, Jason Yates wrote:
> Anyone have some signatures for these overflows?
> 
> BTW I ran this SPIKE ./closed tool on my webserver and IIS crashed =(.
> 
> -Jason
> 
> ----
> 

> From: Dave Aitel <daitel at ...513...>
> To: bugtraq at ...113...
> Subject: SPIKE version released that detects .HTR and ISAPI overflows (see  spike.sourceforge.net)
> Date: 10 Apr 2002 11:24:18 -0400
> 
> At long last, SPIKE is once again allowed to be public. This is the
> fuzzer creation kit I wrote that finds the .HTR and ISAPI overflow
> vulnerabilities discussed here:
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-018.asp
> and
> here: http://www.atstake.com/research/advisories
> (The Microsoft advisory currently misattributes this vulnerability to
> Chris Wysopal instead of me :<.)
> 
> Anyways, the new SPIKE is available (in source code form only) from
> spike.sourceforge.net, as is the rather extensive Changelog. It's pretty
> useful for generic web app auditing as well now.
> 
> Yes, SPIKE is still GPL.
> 
> Dave Aitel
> 
> 
> 
> 






More information about the Snort-sigs mailing list