Re: CR II - winME? confirmation? (Slightly OT)

From: Thorat_private
Date: Thu Aug 09 2001 - 13:02:46 PDT

  • Next message: Jonathan Rickman: "RE: CR II - winME? confirmation? (Slightly OT)"

    The full quote is:
    
     "As a result, even though idq.dll is a component of Index Server/Indexing
    Service, the service would not need to be running in order for an attacker
    to exploit the vulnerability. "
    
    The Index Service does not need to be running.  IIS _has_ to parse the
    request and map it to the extension for it to be exploited.
    
    hth
    AD
    
    ----- Original Message -----
    From: "Inman, Carey" <Inmanat_private>
    To: "'Meritt James'" <meritt_jamesat_private>; "kam" <kamat_private>
    Cc: "Amer Karim" <amerkat_private>; "VULN-DEV List"
    <VULN-DEVat_private>
    Sent: Wednesday, August 08, 2001 10:32 AM
    Subject: RE: CR II - winME? confirmation? (Slightly OT)
    
    
    > Hi,
    >
    > I would like to offer a quote from MS01-033:
    >
    > "the service would not need to be running in order for an attacker to
    > exploit the vulnerability."
    >
    >
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > bulletin/MS01-033.asp
    >
    > Carey
    >
    >
    >
    > -----Original Message-----
    > From: Meritt James [mailto:meritt_jamesat_private]
    > Sent: Wednesday, August 08, 2001 9:28 AM
    > To: kam
    > Cc: Amer Karim; VULN-DEV List
    > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    >
    >
    > "running" or "installed"?  It is my understanding that the vulnerability
    > exists if the files and mapping are there no matter the process state of
    > the IIS server.  Is my understanding incorrect?
    >
    > Jim
    >
    > kam wrote:
    > >
    > > Without IIS running, an attacker has no means of exploiting the
    vulnerable
    > > file. With no access to the file, the vulnerability does not exist. If
    > > they're running IIS, then there is a hole which they can exploit. Even
    > > though it comes installed by default on 2000, it's not a risk until you
    > turn
    > > on your web services.
    > >
    > > kam
    > >
    > > ----- Original Message -----
    > > From: "Amer Karim" <amerkat_private>
    > > To: "VULN-DEV List" <VULN-DEVat_private>
    > > Sent: Tuesday, August 07, 2001 10:03 AM
    > > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > >
    > > > Hi All,
    > > >
    > > > All the advisories about CR state that only IIS servers are
    vulnerable.
    > > > However, it's my understanding that the unchecked buffer in idq.dll
    was
    > > the
    > > > source of that vulnerability.  If that's the case, then why have the
    > > > advisories not included Win2K systems (all flavours) since idq.dll is
    > > > installed by default as part of the indexing service on all these
    > > systems -
    > > > regardless of whether they are using the service or not?  Wouldn't
    that
    > > make
    > > > ANY system with the indexing service on it just as vulnerable as
    systems
    > > > with IIS? Am I overlooking something obvious here?
    > > >
    > > > Regards,
    > > > Amer Karim
    > > > Nautilis Information Systems
    > > > e-mail: amerkat_private, mamerkat_private
    > > >
    > > >
    > > >
    >
    > --
    > James W. Meritt, CISSP, CISA
    > Booz, Allen & Hamilton
    > phone: (410) 684-6566
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:40:39 PDT