RE: CR II - winME? confirmation? (Slightly OT)

From: William T. Barrett (wtbat_private)
Date: Thu Aug 09 2001 - 13:29:31 PDT

  • Next message: Enrique A. Compañ Gzz.: "Re: Winnt/Win2k Vuln ?"

    Second you should try to get in context.
    your qoute refers to the Indexing service not the IIS service.  IIS must be
    running or there is nothing serviceing port 80 and therefore no way for hte
    exploit to work.
    
    to quote the same site:
    "So, if IIS is not running on my machine, I’m not affected by the
    vulnerability?
    
    That’s correct. Even if you’ve installed Index Server or Indexing Service,
    the vulnerability could only be exploited if IIS were running"
    
    -WTB
    
    Hi,
    
    I would like to offer a quote from MS01-033:
    
    "the service would not need to be running in order for an attacker to
    exploit the vulnerability."
    
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS01-033.asp
    
    Carey
    
    
    
    -----Original Message-----
    From: Meritt James [mailto:meritt_jamesat_private]
    Sent: Wednesday, August 08, 2001 9:28 AM
    To: kam
    Cc: Amer Karim; VULN-DEV List
    Subject: Re: CR II - winME? confirmation? (Slightly OT)
    
    
    "running" or "installed"?  It is my understanding that the vulnerability
    exists if the files and mapping are there no matter the process state of
    the IIS server.  Is my understanding incorrect?
    
    Jim
    
    kam wrote:
    >
    > Without IIS running, an attacker has no means of exploiting the
    vulnerable
    > file. With no access to the file, the vulnerability does not exist. If
    > they're running IIS, then there is a hole which they can exploit. Even
    > though it comes installed by default on 2000, it's not a risk until you
    turn
    > on your web services.
    >
    > kam
    >
    > ----- Original Message -----
    > From: "Amer Karim" <amerkat_private>
    > To: "VULN-DEV List" <VULN-DEVat_private>
    > Sent: Tuesday, August 07, 2001 10:03 AM
    > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    >
    > > Hi All,
    > >
    > > All the advisories about CR state that only IIS servers are vulnerable.
    > > However, it's my understanding that the unchecked buffer in idq.dll was
    > the
    > > source of that vulnerability.  If that's the case, then why have the
    > > advisories not included Win2K systems (all flavours) since idq.dll is
    > > installed by default as part of the indexing service on all these
    > systems -
    > > regardless of whether they are using the service or not?  Wouldn't that
    > make
    > > ANY system with the indexing service on it just as vulnerable as
    systems
    > > with IIS? Am I overlooking something obvious here?
    > >
    > > Regards,
    > > Amer Karim
    > > Nautilis Information Systems
    > > e-mail: amerkat_private, mamerkat_private
    > >
    > >
    > >
    
    --
    James W. Meritt, CISSP, CISA
    Booz, Allen & Hamilton
    phone: (410) 684-6566
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:31:37 PDT