Multiple Remote Buffer Overruns TOMAHAWKS’ STEELARROW

August 19th, 2002

NGSSoftware Insight Security Research Advisory

Name:    Multiple Remote Buffer Overruns TOMAHAWKS’ STEELARROW

Systems Affected:  WinNT, Win2K (Not tested on other platforms)

Severity:  High Risk

Category:               Remote System Buffer Overrun

Vendor URL:   http://www.tomahawk.com

Author:   Mark Litchfield (mark@ngssoftware.com)

Date:   19th August 2002

Advisory number: #NISR19082002B

Description

***********

SteelArrow is an easy to use Web Application Server offering the latest in

Internet connectivity and dynamic content development.  SteelArrow offers

developers full web application development functionality and fully tested

run time reliability. Steelarrow operates as an extension (on WinNT/2K) to

Microsoft IIS, Apache and Netscape Enterprise servers.

Details

*******

Buffer Overrun 1)

SteelArrow tracks user sessions with cookies in the form of

UserIdent=XXXXXXXXXXXX.  By supplying an overly long vlaue in the Cookie

HTTP header a buffer overflow occurs in the Steelarrow Service

(Steelarrow.exe) overwriting a saved return address on the stack.

Steelarrow, by default on Win2k/WinNT is installed as a system service.  Any

arbitary code executed using this vulnerability will run with system

privileges.

Buffer Overrun 2)

By making an overly long request for a .aro (extension used by Steelarrow)

file, an access violation occurs in DLLHOST.EXE (Steelarrow.dll), again

overwriting a saved return address on the stack.  Any code will execute in

the security context of the IWAM account.

Buffer Overrun 3)

It’s that Chunked Transfer-Encoding issue again.  By making a request for a

.aro file an including a specific Transfer-Encoding: Chunked request within

the HTTP request header fields and access violation occurs in DLLHOST.EXE

due to a heap overflow. Again any arbitary code execution will run in the

context of the IWAM account.

Fix Information

***************

NGSSoftware alerted the vendor to these buffer overflow issues on the 1st

2nd and 3rd of April 2002.  A fix is available from

http://www.steelarrow.com

A check for these issues has been added to Typhon II, of which more

information is available from the

NGSSoftware website, http://www.ngssoftware.com.

Further Information

*******************

For further information about the scope and effects of buffer overflows,

please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

Section Navigation


Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

Informática 2009, Havana

OWASP AppSec Europe 2008

AusCERT 2008

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls