Re: CR II - winME? confirmation? (Slightly OT)

From: Jordan (jordanfat_private)
Date: Thu Aug 09 2001 - 12:39:31 PDT

  • Next message: Jan P Tietze: "Re: IE troubles with image files"

    I've held off on posting about this for quite some time cause I thought it
    would go away...but this topic seems to still be alive, so here goes.
    
    Quoted from the wonderful analysis of the second version of Code Red by the
    brilliant Eeye folks and Mr Levy.
    
    "This worm, like the original Code Red worm, will only exploit Windows 2000
    web servers because it overwrites EIP with a jmp that is only correct under
    Windows 2000. Under NT4.0 etc... that offset is different so, the process
    will simply crash instead of allowing the worm to infect the system and
    spread."
    
    Read this paragraph over and over and over again, and if you still have any
    questions about whether it'll work on ME, NT4, OSX or any other operating
    system, read it again. I'm amazed that no one's posted this yet...Oh yeah,
    and obviously a web server of some sort must be running, the worm propagates
    by GET requests, which'll have no effect on a server that doesn't process
    them...hard to see how anyone could be confused on this front...
    
    If we're talking strictly about exploiting an unchecked buffer in idq.dll,
    that's one topic, and of course it's possible that it'll work on any system
    with a vulnerable idq.dll, but if we're talking about a specific worm, say
    CR2, then at least read the analysis before posting about it...
    
    Jordan Frank
    jordanfat_private
    
    
    ----- Original Message -----
    From: "Ken Pfeil" <Kenat_private>
    To: "Meritt James" <meritt_jamesat_private>; "kam" <kamat_private>
    Cc: "Amer Karim" <amerkat_private>; "VULN-DEV List"
    <VULN-DEVat_private>
    Sent: Wednesday, August 08, 2001 10:32 AM
    Subject: RE: CR II - winME? confirmation? (Slightly OT)
    
    
    > Nope. If IIS is not running, there is no delivery mechanism for the
    overflow
    > to be delivered on. If the mappings are not present, the overflow cannot
    > take place to the vulnerable ISAPI .dll's, and if you are patched with
    > MS01-033 you do not have vulnerable .dll's.
    >
    > Plain and simple:
    > If users can establish a web session under IIS, you have not applied the
    > patch, AND the mappings are present- you are vulnerable.
    >
    > > -----Original Message-----
    > > From: Meritt James [mailto:meritt_jamesat_private]
    > > Sent: Wednesday, August 08, 2001 9:28 AM
    > > To: kam
    > > Cc: Amer Karim; VULN-DEV List
    > > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > >
    > >
    > > "running" or "installed"?  It is my understanding that the vulnerability
    > > exists if the files and mapping are there no matter the process state of
    > > the IIS server.  Is my understanding incorrect?
    > >
    > > Jim
    > >
    > > kam wrote:
    > > >
    > > > Without IIS running, an attacker has no means of exploiting the
    > > vulnerable
    > > > file. With no access to the file, the vulnerability does not exist. If
    > > > they're running IIS, then there is a hole which they can exploit. Even
    > > > though it comes installed by default on 2000, it's not a risk
    > > until you turn
    > > > on your web services.
    > > >
    > > > kam
    > > >
    > > > ----- Original Message -----
    > > > From: "Amer Karim" <amerkat_private>
    > > > To: "VULN-DEV List" <VULN-DEVat_private>
    > > > Sent: Tuesday, August 07, 2001 10:03 AM
    > > > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > > >
    > > > > Hi All,
    > > > >
    > > > > All the advisories about CR state that only IIS servers are
    > > vulnerable.
    > > > > However, it's my understanding that the unchecked buffer in
    > > idq.dll was
    > > > the
    > > > > source of that vulnerability.  If that's the case, then why have the
    > > > > advisories not included Win2K systems (all flavours) since idq.dll
    is
    > > > > installed by default as part of the indexing service on all these
    > > > systems -
    > > > > regardless of whether they are using the service or not?
    > > Wouldn't that
    > > > make
    > > > > ANY system with the indexing service on it just as vulnerable
    > > as systems
    > > > > with IIS? Am I overlooking something obvious here?
    > > > >
    > > > > Regards,
    > > > > Amer Karim
    > > > > Nautilis Information Systems
    > > > > e-mail: amerkat_private, mamerkat_private
    > > > >
    > > > >
    > > > >
    > >
    > > --
    > > James W. Meritt, CISSP, CISA
    > > Booz, Allen & Hamilton
    > > phone: (410) 684-6566
    >
    >
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:28:06 PDT