Re: CR II - winME? confirmation? (Slightly OT)

From: Ryan Permeh (ryanat_private)
Date: Thu Aug 09 2001 - 13:01:03 PDT

  • Next message: Mike Duncan: "RE: CR II - winME? confirmation? (Slightly OT)"

    iis does need to be running to be vulnerable to this method of exploitation
    however.
    <subliminal>APPLY THE PATCH.</subliminal>
    The vulnerability was found and exploited via iis, but the vulnerability
    does not exist in iis per se.(almost every iis installation on earth was
    vulnerable to it when we found it though).
    <subliminal>APPLY THE PATCH.</subliminal>
    the vulnerability is in the indexing server.  iis by default includes the
    indexing server,  the indexing server can be there if iis is not however, so
    even if iis is not there, the vulnerability could still be there if the
    indexing server were there.(you wouldn't be able to exploit it via iis
    however, you would have to craft a local attack against it).
    <subliminal>APPLY THE PATCH.</subliminal>
    This caused a lot of people a lot of confusion.  The worm attacks iis
    because it gives an easy path to the indexing server(via the ida mapping).
    If the iis server is stopped, the worm can't hit you, but other local things
    might be able to.
    <subliminal>APPLY THE PATCH.</subliminal>
    if in doubt, apply the patch.  if not in doubt, apply the patch.  basically,
    if you run nt/2k, apply this patch.  period.  no questions, get everyone you
    know that admins a nt/2k box to do the same.  iis isn't running?  apply the
    patch(who knows when it might be started). index server not installed? apply
    this patch(patching software you don'thave will not presumably hurt you).
    don't wait, don't hesitate, apply the patch.
    
    
    <subliminal>APPLY THE PATCH.</subliminal>
    Signed,
    Ryan Permeh
    eEye Digital Security Team
    http://www.eEye.com/Retina -Network Security Scanner
    http://www.eEye.com/Iris -Network Traffic Analyzer
    
    ----- Original Message -----
    From: "Inman, Carey" <Inmanat_private>
    To: "'Meritt James'" <meritt_jamesat_private>; "kam" <kamat_private>
    Cc: "Amer Karim" <amerkat_private>; "VULN-DEV List"
    <VULN-DEVat_private>
    Sent: Wednesday, August 08, 2001 10:32 AM
    Subject: RE: CR II - winME? confirmation? (Slightly OT)
    
    
    > Hi,
    >
    > I would like to offer a quote from MS01-033:
    >
    > "the service would not need to be running in order for an attacker to
    > exploit the vulnerability."
    >
    >
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > bulletin/MS01-033.asp
    >
    > Carey
    >
    >
    >
    > -----Original Message-----
    > From: Meritt James [mailto:meritt_jamesat_private]
    > Sent: Wednesday, August 08, 2001 9:28 AM
    > To: kam
    > Cc: Amer Karim; VULN-DEV List
    > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    >
    >
    > "running" or "installed"?  It is my understanding that the vulnerability
    > exists if the files and mapping are there no matter the process state of
    > the IIS server.  Is my understanding incorrect?
    >
    > Jim
    >
    > kam wrote:
    > >
    > > Without IIS running, an attacker has no means of exploiting the
    vulnerable
    > > file. With no access to the file, the vulnerability does not exist. If
    > > they're running IIS, then there is a hole which they can exploit. Even
    > > though it comes installed by default on 2000, it's not a risk until you
    > turn
    > > on your web services.
    > >
    > > kam
    > >
    > > ----- Original Message -----
    > > From: "Amer Karim" <amerkat_private>
    > > To: "VULN-DEV List" <VULN-DEVat_private>
    > > Sent: Tuesday, August 07, 2001 10:03 AM
    > > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > >
    > > > Hi All,
    > > >
    > > > All the advisories about CR state that only IIS servers are
    vulnerable.
    > > > However, it's my understanding that the unchecked buffer in idq.dll
    was
    > > the
    > > > source of that vulnerability.  If that's the case, then why have the
    > > > advisories not included Win2K systems (all flavours) since idq.dll is
    > > > installed by default as part of the indexing service on all these
    > > systems -
    > > > regardless of whether they are using the service or not?  Wouldn't
    that
    > > make
    > > > ANY system with the indexing service on it just as vulnerable as
    systems
    > > > with IIS? Am I overlooking something obvious here?
    > > >
    > > > Regards,
    > > > Amer Karim
    > > > Nautilis Information Systems
    > > > e-mail: amerkat_private, mamerkat_private
    > > >
    > > >
    > > >
    >
    > --
    > James W. Meritt, CISSP, CISA
    > Booz, Allen & Hamilton
    > phone: (410) 684-6566
    >
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:31:09 PDT