After several bouts trying to get my laptop's second hard drive to run NT 4.0, and then an hour long search for the NT Option Pack, this is what I was able to come up with to test for the .ida vulnerability in IIS 4.0. Tested on Windows NT 4.0 SP6a, IIS 4.0 - no patches at all Sending 1-212 bytes we get: Error "The IDQ file C:\Inetpub\wwwroot\NULL.ida could not be found. " (0xc000203e) encountered while processing the query Nothing in the event log. Sending 213-231 bytes we get: Error "File . Error 0xc0000005 caught while processing the query " (0xc0000005) encountered while processing the query Nothing in the event log. Sending 232 bytes crashes the web service. Nothing in the event log. Tested on Windows NT 4.0 SP6a, IIS 4.0 + MS01-033 patch Sending 1-199 bytes we get: Error "The IDQ file NULL.ida could not be found. " (0xc000203e) encountered while processing the query (also note the lack of the full path to the .ida file) Nothing in the event log. Sending 200-??? bytes we get: Error "File . Query tree contained one or more errors " (0x80040e14) encountered while processing the query Nothing in the event log. So we can test by sending a 200 byte request: if response = 0xc000203e the server is probably not patched if response = 0x80040e14 the server is probably patched (same for IIS 5.0) Hope this helps. And if anyone has come up with something else I'd love to hear about it. I'd like to thank paulat_private for lending an ear this morning when I was lost in Microsoft's download center looking for the NT option pack. Thanks Paulie. --chris _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 12:02:29 PDT