[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2356118393.20031114012000@hotmail.kg>
From: netninja at hotmail.kg (Adik)
Subject: Frontpage Extensions Remote Command Execution
Hello Nick,
Thursday, November 13, 2003, 3:14:40 AM, you wrote:
NJ> Has anyone even had any luck reproducing this? I can't for the life of
NJ> me get a crash...
NJ> -----Original Message-----
NJ> From: Geo.
NJ> Sent: Wed 11/12/2003 11:41 AM
NJ> To: full-disclosure@...ts.netsys.com
NJ> Cc:
NJ> Subject: RE: [Full-Disclosure] Frontpage Extensions Remote
NJ> Command Execution
NJ> >>
NJ> Well, for one, it's not root level. It allows ANONYMOUS (Guest)
NJ> access
NJ> <<
NJ> No it's not, IWAM is Web Applications MANAGER account you were
NJ> thinking of
NJ> IUSR perhaps? This is not guest. This account can change
NJ> websites so in a
NJ> multi host environment this level of access will allow a
NJ> compromise of every
NJ> website on the server.
NJ> Geo. (I'd call that root)
NJ> _______________________________________________
NJ> Full-Disclosure - We believe in it.
NJ> Charter: http://lists.netsys.com/full-disclosure-charter.html
What i learned from this overflow was that there is a difference
between sending 500 'A's and sending 500 'X's. sending 500 'A' even
more doesn't trigger access violation on dllhost process. however if u
send 500 'X's u'll get acces violation. well at least thats what i
noticed. maybe i'm wrong. so sometimes sendin different strings
might generate different results.
--
Best regards,
Adik mailto:netninja@...mail.kg
Powered by blists - more mailing lists