{"id": "SECURITYVULNS:DOC:3068", "bulletinFamily": "software", "title": "ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow [AD20020612]", "description": "Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow\r\n\r\nRelease Date:\r\nJune 12, 2002\r\n\r\nSeverity:\r\nHigh (Remote code execution)\r\n\r\nSystems Affected:\r\nMicrosoft Windows NT 4.0 Internet Information Services 4.0\r\nMicrosoft Windows 2000 Internet Information Services 5.0\r\n\r\nA vulnerability in transfer chunking, in combination with the processing of\r\nHTR request sessions can be exploited to remotely execute code of an\r\nattackers choice on the vulnerable machine. By sending a carefully crafted\r\nsession, an attacker can overwrite a section of the heap. Data structures in\r\nthe overwritten heap can be manipulated to move attacker-supplied data to\r\nattacker supplied memory addresses, thereby altering the flow of execution\r\ninto an attacker supplied payload.\r\n\r\nThis is a very serious vulnerability and eEye suggests that administrators\r\ninstall the Microsoft supplied patch as soon as possible.\r\n\r\nThe following example will show the vulnerable condition. The dllhost.exe\r\nchild process will silently die because the developers have replaced the\r\ndefault exception filter. So if you want to examine this closer, load a\r\ndebugger up on the dllhost child process before you send this example\r\nsession over the wire.\r\n\r\n**************Begin Session****************\r\nPOST /EEYE.htr HTTP/1.1\r\nHost: 0day.big5.com\r\nTransfer-Encoding: chunked\r\n\r\n20\r\nXXXXXXXXXXXXXXXXXXXXXXXXEEYE2002\r\n0\r\n[enter]\r\n[enter]\r\n**************End Session******************\r\n\r\nTechnical Description:\r\n\r\nThe example session above overwrites a section of the heap that contains\r\ndata structures related to the memory management system. By manipulating the\r\ncontent of these structures we can overwrite an arbitrary 4 bytes of memory\r\nwith an attacker supplied address.\r\n\r\nWhile many may believe that the risk for these types of vulnerabilities is\r\nfairly low due to the fact that addressing is dynamic and brute force\r\ntechniques would need to be use in an attack, eEye strongly disagrees. This\r\npremise is false as successful exploitation can be made with one attempt,\r\nacross dll versions. An attacker can overwrite static global variables,\r\nstored function pointers, process management structures, memory management\r\nstructures, or any number of data types that will allow him to gain control\r\nof the target application in one session.\r\n\r\nSecureIIS(tm) Application Firewall for Microsoft IIS\r\n\r\nIt should be noted that clients using any version of SecureIIS from eEye\r\nDigital Security are secure from this vulnerability. This vulnerability was\r\ndiscovered by the eEye team while testing a new version of SecureIIS to help\r\nfurther its protection abilities from similar classes of attack. To learn\r\nmore visit http://www.eeye.com/SecureIIS\r\n\r\nVendor Status:\r\nMicrosoft has released a security bulletin and patch:\r\nhttp://www.microsoft.com/technet/security/\r\n\r\nBeyond installing the Microsoft security patch it is also recommend to\r\ndisable the .htr ISAPI filter if you have not already done so. Microsoft\u2019s\r\nsecurity advisory references more information on the steps of how to disable\r\nthe .htr ISAPI filter.\r\n\r\nCredit: Riley Hassell\r\n\r\nGreetings: Caesar, K2, Dark Spyrit, Solar Designer, Joey, Halvar, Gera,\r\nScut, Ilfak Guilfanov. And last but not least, Kasia and Jenn ;) and as\r\nalways, www.securityfocus.com.\r\n\r\nCopyright (c) 1998-2002 eEye Digital Security\r\nPermission is hereby granted for the redistribution of this alert\r\nelectronically. It is not to be edited in any way without express consent of\r\neEye. If you wish to reprint the whole or any part of this alert in any\r\nother medium excluding electronic medium, please e-mail alert@eEye.com for\r\npermission.\r\n\r\nDisclaimer\r\nThe information within this paper may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There are\r\nNO warranties with regard to this information. In no event shall the author\r\nbe liable for any damages whatsoever arising out of or in connection with\r\nthe use or spread of this information. Any use of this information is at the\r\nuser's own risk.\r\n\r\nFeedback\r\nPlease send suggestions, updates, and comments to:\r\n\r\neEye Digital Security\r\nhttp://www.eEye.com\r\ninfo@eEye.com\r\n", "published": "2002-06-13T00:00:00", "modified": "2002-06-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3068", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:06", "edition": 1, "viewCount": 41, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2018-08-31T11:10:06", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:06", "rev": 2}, "vulnersScore": 3.0}, "affectedSoftware": []}

{"rst": [{"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **112[.]195.117.9** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-23T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 4837: (First IP 112.192.0.0, Last IP 112.195.255.255).\nASN Name \"CHINA169BACKBONE\" and Organisation \"CNCGROUP China169 Backbone\".\nASN hosts 561095 domains.\nGEO IP information: City \"\", Country \"China\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-23T00:00:00", "id": "RST:564DC08C-9F66-3068-8433-127C359F52AF", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 112.195.117.9", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **107[.]170.240.244** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 14061: (First IP 107.170.0.0, Last IP 107.170.255.255).\nASN Name \"DIGITALOCEANASN\" and Organisation \"DigitalOcean LLC\".\nThis IP is a part of \"**digitalocean**\" address pools.\nASN hosts 3348428 domains.\nGEO IP information: City \"San Francisco\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3EBDBB1D-77F8-3068-9C3F-404E1FB1AF34", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 107.170.240.244", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **108[.]62.62.105** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **1**.\n First seen: 2019-12-17T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 396190: (First IP 108.62.56.0, Last IP 108.62.63.255).\nASN Name \"LEASEWEBUSASEA10\" and Organisation \"Leaseweb USA Inc\".\nASN hosts 235940 domains.\nGEO IP information: City \"Seattle\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-17T00:00:00", "id": "RST:4FA9C3C6-7206-3068-9AB5-5CDE8C4BFF94", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 108.62.62.105", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **111[.]40.45.33** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **11**.\n First seen: 2020-12-17T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 132525: (First IP 111.40.0.0, Last IP 111.42.120.255).\nASN Name \"CMNETHEILONGJIANGCN\" and Organisation \"HeiLongJiang Mobile Communication Company Limited\".\nASN hosts 5993 domains.\nGEO IP information: City \"Harbin\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-17T00:00:00", "id": "RST:4529B01D-9C91-3068-BA20-5E77955921AE", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 111.40.45.33", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]140.83.182** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 62904: (First IP 104.140.0.0, Last IP 104.140.99.255).\nASN Name \"EONIXCOMMUNICATIONSASBLOCK62904\" and Organisation \"\".\nASN hosts 74551 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:69088E15-038D-3068-961E-23D1B9525377", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 104.140.83.182", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **109[.]200.91.46** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 48464: (First IP 109.200.80.0, Last IP 109.200.95.255).\nASN Name \"FUTUROEXITOAS\" and Organisation \"\".\nASN hosts 100 domains.\nGEO IP information: City \"Jastkow\", Country \"Poland\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:F536C58C-1960-3068-AF94-31905D94C393", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 109.200.91.46", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **45[.]225.120.1** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-02-28T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **shellprobe**.\nASN 266935: (First IP 45.225.120.0, Last IP 45.225.121.255).\nASN Name \"CAROLINE\" and Organisation \"FONSECA FERNANDES ME\".\nASN hosts 4 domains.\nGEO IP information: City \"Riachao do Dantas\", Country \"Brazil\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-28T00:00:00", "id": "RST:935EDC98-6B7D-3068-B0AB-873748EEED6F", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 45.225.120.1", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **23[.]20.221.87** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 14618: (First IP 23.20.0.0, Last IP 23.23.255.255).\nASN Name \"AMAZONAES\" and Organisation \"Amazoncom Inc\".\nThis IP is a part of \"**amazon_cloud_ec2**\" address pools.\nASN hosts 11703553 domains.\nGEO IP information: City \"Ashburn\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2B4875EA-2742-3068-B0F5-36AC424A892E", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 23.20.221.87", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **5[.]167.67.156** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **1**.\n First seen: 2019-12-17T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 57026: (First IP 5.167.64.0, Last IP 5.167.79.255).\nASN Name \"CHEBAS\" and Organisation \"\".\nASN hosts 202 domains.\nGEO IP information: City \"Cheboksary\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-17T00:00:00", "id": "RST:315A5951-E970-3068-85F7-C7AB709E16CE", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 5.167.67.156", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **45[.]79.14.141** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-09-28T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **tor_node**.\nASN 63949: (First IP 45.79.0.0, Last IP 45.79.115.255).\nASN Name \"LINODEAP\" and Organisation \"Linode LLC\".\nThis IP is a part of \"**linode**\" address pools.\nASN hosts 1790761 domains.\nGEO IP information: City \"Richardson\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-28T00:00:00", "id": "RST:9EFA5A60-3A06-3068-9D99-65E5AEB24313", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 45.79.14.141", "type": "rst", "cvss": {}}]}