TUCoPS :: Security App Flaws :: win5646.htm

SteelArrow Multiple Remote Buffer Overflows
20th Aug 2002 [SBWID-5646]
COMMAND

	
		Tomahawks SteelArrow Multiple Remote Buffer Overruns
	
	

SYSTEMS AFFECTED

	
		?
	
	

PROBLEM

	
		Mark  Litchfield   [mark@ngssoftware.com]   [http://www.ngssoftware.com]
		advisory number [#NISR19082002B] :
		

		Buffer Overrun 1)
		

		SteelArrow  tracks  user  sessions  with  cookies   in   the   form   of
		UserIdent=XXXXXXXXXXXX. By supplying an overly long vlaue in the  Cookie
		HTTP  header  a  buffer  overflow  occurs  in  the  Steelarrow   Service
		(Steelarrow.exe) overwriting  a  saved  return  address  on  the  stack.
		Steelarrow, by default on Win2k/WinNT is installed as a system  service.
		Any arbitary code  executed  using  this  vulnerability  will  run  with
		system privileges.
		

		Buffer Overrun 2)
		

		By making  an  overly  long  request  for  a  .aro  (extension  used  by
		Steelarrow)  file,   an   access   violation   occurs   in   DLLHOST.EXE
		(Steelarrow.dll), again  overwriting  a  saved  return  address  on  the
		stack. Any code will  execute  in  the  security  context  of  the  IWAM
		account.
		

		Buffer Overrun 3)
		

		It's that Chunked Transfer-Encoding issue again.  By  making  a  request
		for a .aro file  an  including  a  specific  Transfer-Encoding:  Chunked
		request within the HTTP  request  header  fields  and  access  violation
		occurs in DLLHOST.EXE due to a heap overflow. Again  any  arbitary  code
		execution will run in the context of the IWAM account.
	
	

SOLUTION

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH