I had to come up with a way to test a server remotely for this vulnerability without actually killing it and running the plerthora of exploit code that is out. This is what I have, hopefully someone can use it. Known Vulnerable Testing Platform The first round of tests was run on a Windows 2000 Server running IIS 5.0 (if anyone has similar analysis for IIS 4.0 I'd love to see it) with AND without SP1 (no difference) not patched for MS01-033. Results Sending 1-219 bytes yields the error: The IDQ file NULL.ida could not be found. Nothing written to the event log. Sending 220-231 bytes we get: File . Error 0xc0000005 caught while processing query Nothing written to the event log. Sending 232-??? bytes we get: No response from web server. System event log event ID 7031 from Service Control Manager. IIS services are then stopped and restarted. Known Invulnerable Testing Platform Another system running Windows 2000 Server, IIS 5.0 with SP1 and the patch for MS01-033. Results Sending 1-199 bytes yields the error: The IDQ file NULL.ida could not be found. Nothing written to the event log. Sending 200-??? bytes we get: File . Error 0x80040e14 caught while processing query Nothing written to the event log. So, in summary, to test do the following: send 200 bytes if response = "Error 0x80040e14 caught while processing query" the sytem is patched. if response = "The IDQ file NULL.ida could not be found." the system is not patched. I can't take all the credit for figuring this out. Like most people, I owe it all to the following bit of code: #!/bin/sh SIZE=1 export SIZE while [ $SIZE -lt 201 ]; do BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`" echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | \ nc host port SIZE=`expr $SIZE + 1` done -chris _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 22:33:22 PDT