RE: CR II - winME? confirmation? (Slightly OT)

From: Ken Pfeil (Kenat_private)
Date: Wed Aug 08 2001 - 10:32:04 PDT

  • Next message: brian_carpioat_private: "Re: cisco 677 and 678 crashes"

    Nope. If IIS is not running, there is no delivery mechanism for the overflow
    to be delivered on. If the mappings are not present, the overflow cannot
    take place to the vulnerable ISAPI .dll's, and if you are patched with
    MS01-033 you do not have vulnerable .dll's.
    
    Plain and simple:
    If users can establish a web session under IIS, you have not applied the
    patch, AND the mappings are present- you are vulnerable.
    
    > -----Original Message-----
    > From: Meritt James [mailto:meritt_jamesat_private]
    > Sent: Wednesday, August 08, 2001 9:28 AM
    > To: kam
    > Cc: Amer Karim; VULN-DEV List
    > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    >
    >
    > "running" or "installed"?  It is my understanding that the vulnerability
    > exists if the files and mapping are there no matter the process state of
    > the IIS server.  Is my understanding incorrect?
    >
    > Jim
    >
    > kam wrote:
    > >
    > > Without IIS running, an attacker has no means of exploiting the
    > vulnerable
    > > file. With no access to the file, the vulnerability does not exist. If
    > > they're running IIS, then there is a hole which they can exploit. Even
    > > though it comes installed by default on 2000, it's not a risk
    > until you turn
    > > on your web services.
    > >
    > > kam
    > >
    > > ----- Original Message -----
    > > From: "Amer Karim" <amerkat_private>
    > > To: "VULN-DEV List" <VULN-DEVat_private>
    > > Sent: Tuesday, August 07, 2001 10:03 AM
    > > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > >
    > > > Hi All,
    > > >
    > > > All the advisories about CR state that only IIS servers are
    > vulnerable.
    > > > However, it's my understanding that the unchecked buffer in
    > idq.dll was
    > > the
    > > > source of that vulnerability.  If that's the case, then why have the
    > > > advisories not included Win2K systems (all flavours) since idq.dll is
    > > > installed by default as part of the indexing service on all these
    > > systems -
    > > > regardless of whether they are using the service or not?
    > Wouldn't that
    > > make
    > > > ANY system with the indexing service on it just as vulnerable
    > as systems
    > > > with IIS? Am I overlooking something obvious here?
    > > >
    > > > Regards,
    > > > Amer Karim
    > > > Nautilis Information Systems
    > > > e-mail: amerkat_private, mamerkat_private
    > > >
    > > >
    > > >
    >
    > --
    > James W. Meritt, CISSP, CISA
    > Booz, Allen & Hamilton
    > phone: (410) 684-6566
    



    This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 12:17:44 PDT