[Snort-sigs] Re: Microsoft IIS .htr heap overflow
jyates at ...512...
Thu Apr 11 14:54:13 EDT 2002
I guessing this rule in web-iis.rules will pick up any .htr buffer
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-IIS Overflow-htr access";flags: A+; uricontent:".htr"; nocase;
classtype:web-application-attack; sid:987; rev:3;)
On Wed, 2002-04-10 at 18:30, Jason Yates wrote:
> Anyone have some signatures for these overflows?
> BTW I ran this SPIKE ./closed tool on my webserver and IIS crashed =(.
> From: Dave Aitel <daitel at ...513...>
> To: bugtraq at ...113...
> Subject: SPIKE version released that detects .HTR and ISAPI overflows (see spike.sourceforge.net)
> Date: 10 Apr 2002 11:24:18 -0400
> At long last, SPIKE is once again allowed to be public. This is the
> fuzzer creation kit I wrote that finds the .HTR and ISAPI overflow
> vulnerabilities discussed here:
> here: http://www.atstake.com/research/advisories
> (The Microsoft advisory currently misattributes this vulnerability to
> Chris Wysopal instead of me :<.)
> Anyways, the new SPIKE is available (in source code form only) from
> spike.sourceforge.net, as is the rather extensive Changelog. It's pretty
> useful for generic web app auditing as well now.
> Yes, SPIKE is still GPL.
> Dave Aitel
More information about the Snort-sigs