Re: Safe(?) testing for idq.dll vulnerability

From: Matt Scarborough (vexversaat_private)
Date: Fri Jul 20 2001 - 12:57:19 PDT

Next message: Boyce, Nick: "Code Red / Microsoft Patch Q300972i / NT Service Packs"

Previous message: Critical Watch Bugtraqqer: "Program and Source for Removal of IDA/IDQ Script Mappings (in response to Red Code Worm)"
Maybe in reply to: Chris St. Clair: "Safe(?) testing for idq.dll vulnerability"
Next in thread: Chris St. Clair: "RE: Safe(?) testing for idq.dll vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 20 Jul 2001 01:59:28 +0000, Chris St. Clair wrote:

>I had to come up with a way to test a server remotely for this
>vulnerability without actually killing it and running the plerthora
>of exploit code that is out. This is what I have, hopefully someone
>can use it.

Good ideas.

Marc Maiffret discusses just such a test at
http://www.8wire.com/article_render/?aid=2094
(may reqire registration)

McAfee is offering "CyberCop WormScan" free
http://www.mcafeeasap.com/asp_subscribe/trial_cc_wormscan.asp

Matt Scarborough 2001-07-20

>Known Vulnerable Testing Platform
>The first round of tests was run on a Windows 2000 Server running
>IIS 5.0 (if anyone has similar analysis for IIS 4.0 I'd love to
>see it) with AND without SP1 (no difference) not patched for MS01-033.
>
>Results
>Sending 1-219 bytes yields the error:
>The IDQ file NULL.ida could not be found.
>Nothing written to the event log.
>
>Sending 220-231 bytes we get:
>File .
>Error 0xc0000005 caught while processing query
>Nothing written to the event log.
>
>Sending 232-??? bytes we get:
>No response from web server.
>System event log event ID 7031 from Service Control Manager.
>IIS services are then stopped and restarted.
>
>
>Known Invulnerable Testing Platform
>Another system running Windows 2000 Server, IIS 5.0 with SP1 and
>the patch for MS01-033.
>
>Results
>Sending 1-199 bytes yields the error:
>The IDQ file NULL.ida could not be found.
>Nothing written to the event log.
>
>Sending 200-??? bytes we get:
>File .
>Error 0x80040e14 caught while processing query
>Nothing written to the event log.
>
>So, in summary, to test do the following:
>send 200 bytes
>if response = "Error 0x80040e14 caught while processing query" the
>sytem is patched.
>if response = "The IDQ file NULL.ida could not be found." the system
>is not patched.
>
>I can't take all the credit for figuring this out. Like most people,
>I owe it all to the following bit of code:
>#!/bin/sh
>SIZE=1
>export SIZE
>
>while [ $SIZE -lt 201 ]; do
>     BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`"
>     echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | \
>          nc host port
>     SIZE=`expr $SIZE + 1`
>done


____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

Next message: Boyce, Nick: "Code Red / Microsoft Patch Q300972i / NT Service Packs"
Previous message: Critical Watch Bugtraqqer: "Program and Source for Removal of IDA/IDQ Script Mappings (in response to Red Code Worm)"
Maybe in reply to: Chris St. Clair: "Safe(?) testing for idq.dll vulnerability"
Next in thread: Chris St. Clair: "RE: Safe(?) testing for idq.dll vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 13:43:16 PDT