RE: CR II - winME? confirmation? (Slightly OT)

From: Ron DuFresne (dufresneat_private)
Date: Thu Aug 09 2001 - 13:31:38 PDT

  • Next message: Jeremy Rodriguez: "RE: Winnt/Win2k Vuln ?"

    Perhaps a better quote:
    
         Mitigating factors:
         * The vulnerability can only be exploited if a web session can be
           established with an affected server. Customers who have installed
           Index Server or Index Services but not IIS would not be at risk.
           This is the default case for Windows 2000 Professional.
         * The vulnerability cannot be exploited if the script mappings for
           Internet Data Administration (.ida) and Internet Data Query (.idq)
           files are not present. The procedure for removing the mappings is
           discussed in the IIS 4.0 and IIS 5.0 Security checklists, can be
           automatically removed via either the High Security Template or the
           Windows 2000 Internet Server Security Tool. Customers should be
           aware, however, that subsequently adding or removing system
           components can cause the mapping to be reinstated, as discussed in
           the FAQ.
    
    
    Thanks,
    
    Ron DuFresne
    
    
    On Wed, 8 Aug 2001, Inman, Carey wrote:
    
    > Hi,
    > 
    > I would like to offer a quote from MS01-033:
    > 
    > "the service would not need to be running in order for an attacker to
    > exploit the vulnerability."
    > 
    > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > bulletin/MS01-033.asp
    > 
    > Carey 
    > 
    > 
    > 
    > -----Original Message-----
    > From: Meritt James [mailto:meritt_jamesat_private]
    > Sent: Wednesday, August 08, 2001 9:28 AM
    > To: kam
    > Cc: Amer Karim; VULN-DEV List
    > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > 
    > 
    > "running" or "installed"?  It is my understanding that the vulnerability
    > exists if the files and mapping are there no matter the process state of
    > the IIS server.  Is my understanding incorrect?
    > 
    > Jim
    > 
    > kam wrote:
    > > 
    > > Without IIS running, an attacker has no means of exploiting the vulnerable
    > > file. With no access to the file, the vulnerability does not exist. If
    > > they're running IIS, then there is a hole which they can exploit. Even
    > > though it comes installed by default on 2000, it's not a risk until you
    > turn
    > > on your web services.
    > > 
    > > kam
    > > 
    > > ----- Original Message -----
    > > From: "Amer Karim" <amerkat_private>
    > > To: "VULN-DEV List" <VULN-DEVat_private>
    > > Sent: Tuesday, August 07, 2001 10:03 AM
    > > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > > 
    > > > Hi All,
    > > >
    > > > All the advisories about CR state that only IIS servers are vulnerable.
    > > > However, it's my understanding that the unchecked buffer in idq.dll was
    > > the
    > > > source of that vulnerability.  If that's the case, then why have the
    > > > advisories not included Win2K systems (all flavours) since idq.dll is
    > > > installed by default as part of the indexing service on all these
    > > systems -
    > > > regardless of whether they are using the service or not?  Wouldn't that
    > > make
    > > > ANY system with the indexing service on it just as vulnerable as systems
    > > > with IIS? Am I overlooking something obvious here?
    > > >
    > > > Regards,
    > > > Amer Karim
    > > > Nautilis Information Systems
    > > > e-mail: amerkat_private, mamerkat_private
    > > >
    > > >
    > > >
    > 
    > -- 
    > James W. Meritt, CISSP, CISA
    > Booz, Allen & Hamilton
    > phone: (410) 684-6566
    > 
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation." -- Johnny Hart
    	***testing, only testing, and damn good at it too!***
    
    OK, so you're a Ph.D.  Just don't touch anything.
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:46:41 PDT