At 12:53 02/02/01 -0400, Brian Steele wrote:
>For that to work, the "arbitrary commands" in the buffer-overflow exploit
>will have to set up an app listening on port 80 - the same port as the
>webserver, AND send and receive traffic using HTTP.
if the server is inside, the "arbitrary commands" can connect to another
machine
such as your internal mailserver and send private data to an external
address using
SMTP. they can use whatever service you allow from an internal host.
they may also simply conect to a host and delete files or copy sensitive data
and sends'em back as an http response.
they may also spoof an internal address and send things back to the attacker.
All this is harder if the server is not allowed to access other internal hosts.
in which case the attacker has limited access.
the general rule is that "physical separation" is stronger than a logical
one (firewall/proxy rules).
>May be possible, but
>sounds a bit far-fetched. The same-port issue might be the largest
>stumbling block.
if the server crashed, the port is free for reuse, but anyway, there is no
reason for the guy to use the same port.
>And the sample scripts are typically removed from any secure IIS
>installation anyway :-).
what about internal extensions that may even be undocumented.
these servers are developped to get more and more nice features,
and features come at a price: uncontrolled behaviour when security
is concerned.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
