[Intrusions] Would IIS auth prevent (http.sys)
Evans, Arian
Arian.Evans at fishnetsecurity.com
Fri Aug 26 14:53:29 GMT 2005
<inline>
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Stephen Shepherd
> Sent: Thursday, August 25, 2005 10:16 AM
> To: intrusions at lists.sans.org
> Subject: Re: [Intrusions] Would IIS auth prevent buffer overflow attac
[...]
>
> You mention http.sys. Are you saying that this driver
> pre-processes all requests? If that is the case both
> http.sys and the auth module would be potential
> targets. Correct?
Starting with Win2k3/IIS 6.0, Microsoft moved the http parser
into the kernel for performance. HTTP would be pre-parsed, so
auth like Basic, NTLM, etc. would be parsed by http.sys. Auth
like Kerberos I believe would be handled at the IP stack, though
I am not certain about this.
While I found the move to the kernel concerning given IIS's
history, the fact is that the core web server hasn't had many
vulns discovered post-4.0, and MS has performed extensive third-
-party testing and source review against IIS 6.0. I believe Dave
Aitel and the ex-stake team found the chunked encoding issue with
IIS 6.0, which is one of only two issues discovered in total.
No issues were or have been discovered with http.sys. In fact,
as the story goes, the lead developer offered to cut off a finger
if any exploitable flaws were found in his code. </anecdotal>
HtH,
-ae
More information about the Intrusions
mailing list