February 1, 2010: Pubcookie ISAPI Filter Security Advisory.
Subject: Stack Buffer Overflow in ISAPI Filter
Author: Nathan Dors, Pubcookie Project
Status: Confirmed, Fix Released
Threat Class: Stack Buffer Overflow, Denial of Service
Issue date: February 1, 2010
A new release of the Pubcookie ISAPI filter is available to address a
stack buffer overflow vulnerability. Sites using the Pubcookie ISAPI
filter on Microsoft Internet Information Services (IIS) are advised to
read this security advisory and carry out the suggested actions below.
Note there is no evidence others have discovered this vulnerability or
that it has been exploited anywhere "in the wild".
Note: The URL for this security advisory is:
A stack buffer overflow vulnerability exists in the Pubcookie ISAPI
filter that can be triggered when Pubcookie encodes a specially crafted
query string. If exploited, this vulnerability could be used to execute
arbitrary code in the security context of the ISAPI filter. Although
this sort of attack isn't straightforward, proof-of-concept code has
demonstrated that the process running the filter can be made to crash.
This vulnerability is classified as *high* due to the risk that it might
be exploited on servers hosting sensitive data or applications critical
to business operations.
The vulnerability has been confirmed to exist in version 3.3.3 of the
Pubcookie ISAPI filter, and likely exists in prior versions as well.
The following patch release addresses all known buffer overflow issues:
* Pubcookie 3.3.4 (current production release)
This release is available now from the Pubcookie dowloads page:
Application server administrators running an affected version of the
Pubcookie ISAPI filter on IIS should upgrade to version 3.3.4.
Note: For detailed version compatibility notes and upgrade information,
consult the Pubcookie 3.3.4 ISAPI Filter Installation Guide.
In addition to fixing the identifed buffer overflow vulnerability, an
extensive review of the Pubcookie ISAPI filter source code was conducted
to find and mitigate other unchecked string operations and memory leaks.
* 04 May 2009: Initial contact with technical details of vulnerability
* 04 May 2009: Initial response confirming vulnerability and severity
* 01 Feb 2010: Security release available for vulnerability
* 01 Feb 2010: Public disclosure thru pubcookie.org advisory
The Pubcookie project thanks Chris Ries (Information Security Engineer,
Carnegie Mellon University) for reporting the security vulnerability as
well as possible exploits and routes of remediation. The project also
thanks Jeff Franklin (University of Washington) for conducting the
independent review and contributing additional fixes to the codebase.
Web Security Threat Classification