[WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths

Ryan Barnett rcbarnett at gmail.com
Wed Mar 15 08:42:18 EST 2006

The article you posted is a good read, however it does not entirely debunk
the core message of Jeremiah's article.  The SecurityFocus article wanted to
show that it would still be possible to execute a blind buffer overflow
against ISAPI extensions.

If we are not looking at the article examples in a lab view, but rather a
real world view, then the Vulnerabilty Requirements section becomes
important -

"There are very few necessary requirements of the vulnerability for
exploitation to be successful. If any type of filtering is being done on our
input, output from the extension would be required to display which bytes
are denied or modified.

The second and third requirements are that a register must point to our
payload and have enough room for single or multi-stage shell code."
With these caveats in mind - is this really a blind buffer overflow if it is
a requirement that denied byts are displayed back to the attacker?

Additionally, the author summed it up with this statement -

"One can now see that even when an attacker does not have access to the
binary, source or platform information, exploitation may *in some specific
scenarios* allow for remote code execution."

This brings up another point from Jeremiah's article - the likelyhood of a
buffer overlow is less then the other attacks he mentioned (SQL Injection,


On 3/15/06, ol at uncon.org <ol at uncon.org> wrote:
> > Did you read the article or did you just base your response on the 2
> sample
> > sentences sent in the email?  The article quite clearly outlined the
> fact
> > that it was focusing on "custom" applications and not widely available
> (to
> > everyone, including attackers) software.
> Yes I did. Did you read the article I posted? It clearly describes how it
> is
> possible and thus likely hood is greatly increased on custom applications
> (using ISAPI as a particular example I grant you).

Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
Author: Preventing Web Attacks with Apache
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060315/701929eb/attachment.html>

More information about the websecurity mailing list