Tango Cookie Buffer Overflow Vulnerability Workaround


This page tells you how to use URL Rewriting to try to block cookie buffer overflow attacks on the Tango Application server and old versions of Witango 5.

The instructions assume that you're running Microsoft IIS.
But the same concept will work with other web servers.

The problem

Sending a very long cookie to Tango 2000 can crash your server.

With a bit of cunning hackery, people can take over your server and make it do mean things.

The ideal solution

Move your applications to a the latest version of Witango 5. You can buy one from our friends at With Enterprises.

The Workaround

Alternatively, catch requests with long cookies before they get to your Tango server.

IIS allows you to install third-party plugins (called ISAPI Filters) which can change requests before it processes them.

We can use an ISAPI Filter to rewrite the URLs of suspicious requests so that IIS sends them somewhere other than Tango.

The simplest way is to send them to a made-up HTML page, like "/tango_buffer_overflow_exploit.html".

If you want immediate warnings of attacks, you might want to make a special CGI script and redirect them to that instead.

What to do

  1. Head over to Querksoft and pick up a copy of IISRewrite for $99. If you want to test it first you can download their evaluation version.
  2. Install IISRewrite by following the instructions on their website.
  3. Put the following in your rewrite.ini file:
    RewriteEngine On
    
    ###########################################################################
    #
    # Rule to block Tango cookie buffer overflow exploit
    # Apply this rule to any request containing a cookie 128 bytes long, including the name.
    # Rewrite anything containing a Tango extension then the end of the string, or a question mark.
    # NB If your server lets Tango respond to other URLs, you should include those as well.
    RewriteCond %{HTTP_COOKIE} .*[^;]{128}.*
    RewriteRule (.*)\.(taf$|taf\?|tml$|tml\?|thtml$|thtml\?)(.*) /tango_buffer_overflow_exploit.html [L]
    # If you're really paranoid, use 
    # RewriteRule .* /tango_buffer_overflow_exploit.html
    # ...to block oversized cookies for all requests.
    #
    ###########################################################################
    
  4. Restart IIS.

It should no longer be possible to send excessively large cookies to your Tango server.
Requests without excessively large cookies, or requests for pages other than .taf, .tml and .thtml, should be unaffected.
If it fails on either of those counts, please let me know.

Other options and platforms

ISAPI URL rewriting is also offered by ISAPIRewrite.

If you're using Apache, you can do the same thing (and much more) with the original ModRewrite.