[Intrusions] Would IIS auth prevent buffer overflow attacks

Evans, Arian Arian.Evans at fishnetsecurity.com
Thu Aug 25 18:54:40 GMT 2005 

> sure...

That's not entirely correct.

It depends entirely on *where* the overflow is.

Most of IIS's overflows have been in add-on components
like .printer and Index Server (.ida/q) which
are both default mapped from '/'. You'd have
to auth from root and hope that the overflow
was not in an HTTP header-field.

Most authentication is sent in the http request
as txt, including basic and NTLM authentication.

If you have Integrated Authentication selected
on IIS 5.0 and up, and the user is Windows 2000\
IE 5.5 (or up) you can potentially use Kerberos
which is certificate based and processed by the
part of the stack that handles SSL, IPSEC, etc.
which should occur *before* IIS parsed the message.

I have never tested this though. Make sure to test.

As for IIS authentication providing protection, a
recent example would be the ASP.NET cannonicalization
issue last year; allowed me to bypass authentication
by going to an allowed directory and traversing to
the "secure" directory.

It could help in certain cases though,

-ae



> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Wes Young
> Sent: Thursday, August 25, 2005 6:48 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] Would IIS auth prevent buffer 
> overflow attacks
> 
> sure... unless the authentication mechenism was flawed
> and exploited (as it was in june of 2004).
> 
> Something you actually tend to see a lot more of as this year goes on.
> 
> Stephen Shepherd wrote:
> > If IIS authentication were enabled on a web server
> > would it prevent buffer overflow attacks unless the
> > attacker had valid credentials.
> >  
> > I would think that the web server would not process
> > the initial get request until it had successfully
> > authenticated the client??
> >  
> > Just curious if this would add any protection to a www site..
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> > 
> 
> -- 
> Wes Young
> Network Security Analyst
> University at Buffalo
> --
> My Security Blog: http://tinyurl.com/9av4k
> RSS: http://tinyurl.com/ceopv
> My Life: http://tinyurl.com/l18g
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list