February 1, 2010: Pubcookie ISAPI Filter Security Advisory.

Subject:       Stack Buffer Overflow in ISAPI Filter
Author:        Nathan Dors, Pubcookie Project
Status:        Confirmed, Fix Released
Threat Class:  Stack Buffer Overflow, Denial of Service
Issue date:    February 1, 2010
Severity:      High

Summary:
========

A new release of the Pubcookie ISAPI filter is available to address a 
stack buffer overflow vulnerability. Sites using the Pubcookie ISAPI 
filter on Microsoft Internet Information Services (IIS) are advised to 
read this security advisory and carry out the suggested actions below. 

Note there is no evidence others have discovered this vulnerability or 
that it has been exploited anywhere "in the wild".

Note: The URL for this security advisory is:
http://pubcookie.org/news/20100201-apps-secadv.html

Vulnerability Details:
======================

A stack buffer overflow vulnerability exists in the Pubcookie ISAPI 
filter that can be triggered when Pubcookie encodes a specially crafted 
query string.  If exploited, this vulnerability could be used to execute 
arbitrary code in the security context of the ISAPI filter. Although 
this sort of attack isn't straightforward, proof-of-concept code has 
demonstrated that the process running the filter can be made to crash.

Threat Classification:
======================

This vulnerability is classified as *high* due to the risk that it might 
be exploited on servers hosting sensitive data or applications critical 
to business operations.

Affected Versions:
==================

The vulnerability has been confirmed to exist in version 3.3.3 of the 
Pubcookie ISAPI filter, and likely exists in prior versions as well.

Patch Releases:
===============

The following patch release addresses all known buffer overflow issues:
* Pubcookie 3.3.4 (current production release)

This release is available now from the Pubcookie dowloads page:
http://pubcookie.org/downloads.html

Suggested Action:
=================

Application server administrators running an affected version of the 
Pubcookie ISAPI filter on IIS should upgrade to version 3.3.4.

Note: For detailed version compatibility notes and upgrade information, 
consult the Pubcookie 3.3.4 ISAPI Filter Installation Guide.

Remediation Details:
====================

In addition to fixing the identifed buffer overflow vulnerability, an 
extensive review of the Pubcookie ISAPI filter source code was conducted 
to find and mitigate other unchecked string operations and memory leaks. 

Project Response:
=================

* 04 May 2009: Initial contact with technical details of vulnerability
* 04 May 2009: Initial response confirming vulnerability and severity
* 01 Feb 2010: Security release available for vulnerability
* 01 Feb 2010: Public disclosure thru pubcookie.org advisory

Acknowledgments:
================

The Pubcookie project thanks Chris Ries (Information Security Engineer, 
Carnegie Mellon University) for reporting the security vulnerability as 
well as possible exploits and routes of remediation. The project also 
thanks Jeff Franklin (University of Washington) for conducting the 
independent review and contributing additional fixes to the codebase.

References:
===========

Web Security Threat Classification
http://www.webappsec.org/projects/threat/