Systems Affected: All ISAs written using MFC ISAPI framework Issue: User-input length values can result in a buffer overflow. Risk: Critical Scope: Remote Server Compromise The MFC ISAPI framework is widely used to build ISAs that run on a multitude of web servers. It has been discovered that the framework relies on user-input values for request member lengths, making it prone to a buffer overrun attack. When I downloaded my copy of the BadBlue PWS and began to test its bizarre "ext.dll" module for vulnerabilities, I found that a specially malformed POST request: POST /ext.dll HTTP/1.0 Content-Length: 1 AAAAAAAAAAAA[...] could cause a buffer overflow in the server. Further study of the vulnerability by me revealed that the server crashed on this request inside mfc42.dll. This crash occured when the DLL accessed an overwritten pointer. Although I thought this odd, I did not study it any more until I was informed by BadBlue support that the overrun was indeed inside of mfc42.dll. It appears that the MFC library is accepting parameters to indicate the length of various members, including the length of POST entities. If this input is not explicitly verified by the server, a buffer overrun can occur during the execution of the ISAPI, and this can either crash the server or a separate worker process (depending on vendor/configuration) SecurityFocus: BID 5188 ("Working Resources BadBlue ISAPI Denial of Service Vulnerability") is one particular instance of this exploit. The exploit code above is sufficient to exploit BID 5188. "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown