I had to come up with a way to test a server remotely for this
vulnerability without actually killing it and running the plerthora
of exploit code that is out. This is what I have, hopefully someone
can use it.
Known Vulnerable Testing Platform
The first round of tests was run on a Windows 2000 Server running
IIS 5.0 (if anyone has similar analysis for IIS 4.0 I'd love to
see it) with AND without SP1 (no difference) not patched for MS01-033.
Results
Sending 1-219 bytes yields the error:
The IDQ file NULL.ida could not be found.
Nothing written to the event log.
Sending 220-231 bytes we get:
File .
Error 0xc0000005 caught while processing query
Nothing written to the event log.
Sending 232-??? bytes we get:
No response from web server.
System event log event ID 7031 from Service Control Manager.
IIS services are then stopped and restarted.
Known Invulnerable Testing Platform
Another system running Windows 2000 Server, IIS 5.0 with SP1 and
the patch for MS01-033.
Results
Sending 1-199 bytes yields the error:
The IDQ file NULL.ida could not be found.
Nothing written to the event log.
Sending 200-??? bytes we get:
File .
Error 0x80040e14 caught while processing query
Nothing written to the event log.
So, in summary, to test do the following:
send 200 bytes
if response = "Error 0x80040e14 caught while processing query" the
sytem is patched.
if response = "The IDQ file NULL.ida could not be found." the system
is not patched.
I can't take all the credit for figuring this out. Like most people,
I owe it all to the following bit of code:
#!/bin/sh
SIZE=1
export SIZE
while [ $SIZE -lt 201 ]; do
BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`"
echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | \
nc host port
SIZE=`expr $SIZE + 1`
done
-chris
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 22:33:22 PDT