VulnXML Project: Sample XML document (buffer overflow)

Date: 2003-05. From: http://www.owasp.org/vulnxml/IISChunkedBO.xml
See: VulnXML Project



<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE WebApplicationTest SYSTEM "WebApplicationTest.dtd">
<WebApplicationTest>
	<TestDescription>
		<TestName>OWASP-00002</TestName>
		<TestVersion>0.0</TestVersion>
		<DateReleased>2002-04-10</DateReleased>
		<DateUpdated>2002-04-30</DateUpdated>
		<OWASP_Class class="Overflows" URL="http://www.owasp.org/asac/"/>
		<References>
			<Reference database="Bugtraq" URL="http://www.securityfocus.com/bid/4485"/>
			<Reference database="CVE" URL="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079"/>
			<Reference database="Microsoft" URL="http://www.microsoft.com/technet/security/bulletin/ms02-018.asp"/>
			<Reference database="Cert" URL="http://www.cert.org/advisories/CA-2002-09.html"/>
		</References>
		<Copyright>Public Domain</Copyright>
		<TestProtocol protocol="HTTP"/>
		<MayProxy value="True"/>
		<Description>Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code.</Description>
		<ApplicableTo>
			<Platform>
				<OS>Windows</OS>
				<Arch>i386</Arch>
			</Platform>
			<WebServer>Microsoft-IIS</WebServer>
			<ApplicationServer/>
		</ApplicableTo>
		<Affects scope="server"/>
		<TriggerOn event="file">
			<Match type="regex">.*.asp</Match>
		</TriggerOn>
		<Impact>The attacker can cause the web server to crash and restart, and could potentially execute arbitrary code on the web server</Impact>
		<Severity value="high"/>
		<Recommendation>Delete sample ASP scripts to deter bulk scanners. Install the patch supplied by Microsoft as soon as it is available.</Recommendation>
		<AlertOn result="SUCCESS"/>
	</TestDescription>
	<Inputs/>
	<Connection>
		<Step name="step1">
			<Request>
				<MessageHeader>
					<Method encoding="text">POST</Method>
					<URI encoding="text">${scheme}://${host}:${port}/${path}/${file}</URI>
					<Version encoding="text">HTTP/1.1</Version>
					<Header name="Accept" encoding="text">*/*</Header>
					<Header name="Host" encoding="text">${host}</Header>
					<Header name="Transfer-Encoding" encoding="text">chunked</Header>
				</MessageHeader>
				<MessageBody>
					<Content-Type encoding="text">application/x-www-form-urlencoded</Content-Type>
					<Content-Length length="auto"/>
					<Separator encoding="text"/>
					<Item encoding="base64">MQpFCjAKCgoK</Item>
				</MessageBody>
			</Request>
			<Response>
				<SetVariable name="ResponseCode" type="string">
					<Description>HTTP Response code</Description>
					<Source source="status-line">^.*\s(\d\d\d)\s</Source>
				</SetVariable>
				<SetVariable name="redir302" type="string">
					<Description>See if we got a custom 404 handler, correctly implemented using a redirection</Description>
					<Source source="message-header">Location: (.*)$</Source>
				</SetVariable>
				<SetVariable name="body404" type="string">
					<Description>See if we got a custom 404 handler, incorrectly implemented using a return code of 200</Description>
					<Source source="message-body">(404 Not Found)</Source>
				</SetVariable>
				<SetVariable name="unpatched" type="string">
					<Description>An unpatched server returns "(0x80004005)&lt;br&gt;Unspecified</Description>
					<Source source="message-body">(\(0x80004005\)&lt;br&gt;Unspecified)</Source>
				</SetVariable>
				<SetVariable name="patched" type="string">
					<Description>A patched server returns "(0x80004005)&lt;br&gt;Request</Description>
					<Source source="message-body">(\(0x80004005\)&lt;br&gt;Request)</Source>
				</SetVariable>
			</Response>
			<TestCriteria type="FAILURE">
				<ErrorMessage>The page was not found</ErrorMessage>
				<Compare variable="${ResponseCode}" test="equals" value="200">
					<Compare variable="${body404}" test="notequals" value=""/>
				</Compare>
				<Compare variable="${ResponseCode}" test="equals" value="404"/>
				<Compare variable="${ResponseCode}" test="equals" value="302"/>
				<Compare variable="${ResponseCode}" test="equals" value="500"/>
			</TestCriteria>
			<TestCriteria type="FAILURE">
				<Compare variable="${patched}" test="notequals" value=""/>
			</TestCriteria>
			<TestCriteria type="SUCCESS">
				<Compare variable="${unpatched}" test="notequals" value=""/>
			</TestCriteria>
		</Step>
	</Connection>
</WebApplicationTest>